Template for OAuth authorization form
The authorization form is returned to resource owners to gain approval for OAuth clients to access protected resources.
The
<xsl:template> node for the authorization form portion of the
stylesheet uses the following variables.approve- Indicates whether the resource owner approves the request.
submit-url- The
context/oauth/submit-urivariable contains the URI to submit the form to. original-url- The
context/oauth/original-urlvariable contains the URL sent by the OAuth client for requesting access to the protected resource. client_id- The
context/oauth/client_idvariable contains the client ID. scope- The
context/oauth/scopevariable contains the scope that the authorization server is granted for. resource_owner- The
context/oauth/dp-state/result/resource-ownervariable contains the identity of the resource owner. dp-state- The
context/oauth/dp-state/result/codevariable contains the DataPower® code. redirect_uri- The
context/oauth/identity/oauth-id/redirect_urivariable contains the redirection URI. dp-data- The
context/oauth/dp-datavariable contains data that is related to the DataPower Gateway. miscinfo- The
context/oauth/dp-state/result/miscinfovariable contains miscellaneous information from the custom stylesheet. The maximum number of characters in this information is 1024. response_type- Optional: The
context/oauth/response_typevariable contains the response type. state- Optional: The
context/oauth/statevariable contains the state. selectedscope- Optional: The
context/oauth/selectedscopevariable contains a list of scope that the resource owner selects.
The following code is a modified excerpt from the OAuth-Generate-HTML.xsl example stylesheet that generates the authorization form. See the annotated stylesheet in the store: directory for completeness.
<xsl:template name="az-form">
<xsl:param name="input" select="/.."/>
<dp:set-http-response-header name="'Content-Security-Policy'" value="'default-src "self"'"/>
<dp:set-http-response-header name="'X-Frame-Options'" value="'SAMEORIGIN'"/> <!-- for ClickJack -->
<dp:set-http-response-header name="'Frame-Options'" value="'SAMEORIGIN'"/> <!-- for ClickJack -->
<dp:set-http-response-header name="'X-XSS-Protection'" value="'1; mode=block'"/> <!-- XSS Protection -->
<xsl:variable name="submit_uri" select="$input/oauth/submit-url"/>
…
<xsl:variable name="state" select="$input/oauth/state"/>
<html lang="en" xml:lang="en">
<head>…</head>
<body>
<form method="POST" style="display: inline;"
enctype="application/x-www-form-urlencoded">
<xsl:attribute name="action">
<xsl:value-of select="$submit_uri"/>
</xsl:attribute>
<h1>Request for Permission</h1>
<p>Welcome <xsl:value-of select="$resource_owner"/></p>
<p>Example Company is requesting your permission to access
<xsl:value-of select="$scope"/>. Click <b>Allow</b> to grant or
<b>Reject</b> to deny.</p>
<p>Clicking <b>Submit</b> redirects to
<xsl:value-of select="$redirect_uri"/>.</p>
<input type="hidden" name="dp-state">…</input>
…
<input type="hidden" name="client_id">…</input>
<input type="radio" name="approve" value="true"/>
<label>Allow</label>
<input type="radio" name="approve" value="false"
checked="checked"/>
<label>Reject</label><br/>
<input type="submit" name="submit" value="Submit"/>
</form>
</body>
</html>
</xsl:template>