Topic
  • 15 replies
  • Latest Post - ‏2013-03-12T15:40:34Z by alanholc
alanholc
alanholc
45 Posts

Pinned topic DP XB62 5.0 & oAuth V1.0?

‏2013-02-22T17:13:47Z |
I'm trying to build a proxy for an external service which uses oAuth V1 (this is a subscription service which we subscribe to - we have no control over it.)
Internal clients (ignorant of the credentials) should be able to call the service from DataPower and DP will handle the authorization. I've searched around to see how I can make this work but everything I find is limited to oAuth V2...
Any thoughts?
Updated on 2013-03-12T15:40:34Z at 2013-03-12T15:40:34Z by alanholc
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 & oAuth V1.0?

    ‏2013-02-27T16:10:34Z  
    Ok - I've gotten as far as generating the signature and I've hit this...
    Code excerpt:
    <xsl:variable name="oAuthSignature"
    select="dp:hmac('http//www.w3.org/2000/09/xmldsig#hmac-sha1',
    $oAuthSecret,
    $oAuthSigBase)"/>

    And the error I get:
    Unknown HMAC SignatureMethod algorithm: 'http//www.w3.org/200'

    Is there something here that I'm just not seeing?
    This is on an XB62, 5.0.0.1 firmware.
  • HermannSW
    HermannSW
    4747 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-02-27T16:28:34Z  
    • alanholc
    • ‏2013-02-27T16:10:34Z
    Ok - I've gotten as far as generating the signature and I've hit this...
    Code excerpt:
    <xsl:variable name="oAuthSignature"
    select="dp:hmac('http//www.w3.org/2000/09/xmldsig#hmac-sha1',
    $oAuthSecret,
    $oAuthSigBase)"/>

    And the error I get:
    Unknown HMAC SignatureMethod algorithm: 'http//www.w3.org/200'

    Is there something here that I'm just not seeing?
    This is on an XB62, 5.0.0.1 firmware.
    OAuth support has been added to DataPower with v5 firmware, see release notes:
    http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2FrelnotesXI.html

    But only support for OAuth 2.0, no v1.

    Here is the first of a series of 7 developerWorks articles on OAuth 2.0 and DataPower:
    http://www.ibm.com/developerworks/websphere/library/techarticles/1208_rasmussen/1208_rasmussen.html

     
    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-02-27T16:32:06Z  
    • HermannSW
    • ‏2013-02-27T16:28:34Z
    OAuth support has been added to DataPower with v5 firmware, see release notes:
    http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2FrelnotesXI.html

    But only support for OAuth 2.0, no v1.

    Here is the first of a series of 7 developerWorks articles on OAuth 2.0 and DataPower:
    http://www.ibm.com/developerworks/websphere/library/techarticles/1208_rasmussen/1208_rasmussen.html

     
    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
    Pretty sure I can get my proxy working.
    My current particular issue is with this function...
    http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2Fextensionfunctions148.htm&path%3D4_4_1_5_1

    Not sure why I'm getting the error.
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-02-27T16:36:30Z  
    • alanholc
    • ‏2013-02-27T16:32:06Z
    Pretty sure I can get my proxy working.
    My current particular issue is with this function...
    http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2Fextensionfunctions148.htm&path%3D4_4_1_5_1

    Not sure why I'm getting the error.
    Sorry... wrong link...
    Where's the edit message link??

    This is the correct link...

    http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/topic/com.ibm.dp.xi.doc/extensionfunctions123.htm?path=4_4_1_4_33#hmac_function
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-01T05:18:06Z  
    • alanholc
    • ‏2013-02-27T16:10:34Z
    Ok - I've gotten as far as generating the signature and I've hit this...
    Code excerpt:
    <xsl:variable name="oAuthSignature"
    select="dp:hmac('http//www.w3.org/2000/09/xmldsig#hmac-sha1',
    $oAuthSecret,
    $oAuthSigBase)"/>

    And the error I get:
    Unknown HMAC SignatureMethod algorithm: 'http//www.w3.org/200'

    Is there something here that I'm just not seeing?
    This is on an XB62, 5.0.0.1 firmware.
    Finally got past the HMAC-SHA1 issue... no idea why it was occurring, but I deleted the stylesheet and reloaded and that fixed it.
    Now I'm at the last step of generating the oAuth signature...
    In order to generate the signature correctly I have to pass the secret key followed by an ampersand...
    (See this link - http://integr8consulting.blogspot.com/2011/11/technical-using-rest-web-services-with.html )
    Well, I can pass the key alone without issue...
    But when I add the ampersand, I get this...
    “*base64 decode of shared secret key failed*”
    And I'm running out of ideas to try...
    Code is the same as above only I'm concatenating '&' to $oAuthSecret...
  • HermannSW
    HermannSW
    4747 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-01T08:19:45Z  
    • alanholc
    • ‏2013-03-01T05:18:06Z
    Finally got past the HMAC-SHA1 issue... no idea why it was occurring, but I deleted the stylesheet and reloaded and that fixed it.
    Now I'm at the last step of generating the oAuth signature...
    In order to generate the signature correctly I have to pass the secret key followed by an ampersand...
    (See this link - http://integr8consulting.blogspot.com/2011/11/technical-using-rest-web-services-with.html )
    Well, I can pass the key alone without issue...
    But when I add the ampersand, I get this...
    “*base64 decode of shared secret key failed*”
    And I'm running out of ideas to try...
    Code is the same as above only I'm concatenating '&' to $oAuthSecret...
    ...
    > Well, I can pass the key alone without issue...
    > But when I add the ampersand, I get this...
    > “*base64 decode of shared secret key failed*”
    > And I'm running out of ideas to try...
    > Code is the same as above only I'm concatenating '&' to $oAuthSecret...

    Which method to specify the key do you use, name/key/hex?
    How do you append & exactly?
    (please enclose code in {​code}...{​code} sections and use preview to make sure your posting displays as you intend before submit)

    From hmac() InfoCenter:
    ...
    key
    (xs:string) Specifies the session key used by algorithm to encrypt text. Use one of the following prefixes to refer to a shared secret key:
    • name:key, such as name:alice, that refers to an already configured shared secret key object named alice.
    • key:Base64 refers to a Base64-encoded literal that is the shared secret key. If you enter Base64 without the key: prefix, the function uses Base64 as the key.
    • hex:hex refers to a hex-encoded literal that is the shared secret key.

     
    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-01T15:01:29Z  
    • HermannSW
    • ‏2013-03-01T08:19:45Z
    ...
    > Well, I can pass the key alone without issue...
    > But when I add the ampersand, I get this...
    > “*base64 decode of shared secret key failed*”
    > And I'm running out of ideas to try...
    > Code is the same as above only I'm concatenating '&' to $oAuthSecret...

    Which method to specify the key do you use, name/key/hex?
    How do you append & exactly?
    (please enclose code in {​code}...{​code} sections and use preview to make sure your posting displays as you intend before submit)

    From hmac() InfoCenter:
    ...
    key
    (xs:string) Specifies the session key used by algorithm to encrypt text. Use one of the following prefixes to refer to a shared secret key:
    • name:key, such as name:alice, that refers to an already configured shared secret key object named alice.
    • key:Base64 refers to a Base64-encoded literal that is the shared secret key. If you enter Base64 without the key: prefix, the function uses Base64 as the key.
    • hex:hex refers to a hex-encoded literal that is the shared secret key.

     
    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
    Appreciate the response.
    I've read that function description about a hundred times now.
    I'm not passing a prefix, only the variable name.
    I've tried several methods of adding the &...
    The value of $oAuthSecret is obviously a hex string (0EAADA... etc)
    When I try adding the prefix as in ' hex:$oAuthSecret '
    I get a fatal error - 'Unbound prefix: hex'.
    IBM's code example on the function description does not help much...

    I'm currently looking for a way to convert the hex string to base64 so I can pass it to hmac() without using a prefix...

    If you have a good example for converting say '64744c5040b247bf26' to base64 I'd love to see that.
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-01T16:08:28Z  
    • alanholc
    • ‏2013-03-01T15:01:29Z
    Appreciate the response.
    I've read that function description about a hundred times now.
    I'm not passing a prefix, only the variable name.
    I've tried several methods of adding the &...
    The value of $oAuthSecret is obviously a hex string (0EAADA... etc)
    When I try adding the prefix as in ' hex:$oAuthSecret '
    I get a fatal error - 'Unbound prefix: hex'.
    IBM's code example on the function description does not help much...

    I'm currently looking for a way to convert the hex string to base64 so I can pass it to hmac() without using a prefix...

    If you have a good example for converting say '64744c5040b247bf26' to base64 I'd love to see that.
    I guess what I really need right now is a good lesson on how to define a parameter or variable with a hex value...
    Should I add the key: prefix in the variable? And should the variable begin with 0x?
    So... which is correct?
    1 - <xsl:variable name="var" select="'key:0xAABBCCDDEEFF'"/>
    2 - <xsl:variable name="var" select="'0xAABBCCDDEEFF'"/>
    3 - <xsl:variable name="var" select="'AABBCCDDEEFF'"/>
  • HermannSW
    HermannSW
    4747 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-01T21:48:55Z  
    • alanholc
    • ‏2013-03-01T16:08:28Z
    I guess what I really need right now is a good lesson on how to define a parameter or variable with a hex value...
    Should I add the key: prefix in the variable? And should the variable begin with 0x?
    So... which is correct?
    1 - <xsl:variable name="var" select="'key:0xAABBCCDDEEFF'"/>
    2 - <xsl:variable name="var" select="'0xAABBCCDDEEFF'"/>
    3 - <xsl:variable name="var" select="'AABBCCDDEEFF'"/>
    --> 'hex:AABBCCDDEEFF'

    $ od -tx1 sample
    0000000 aa bb cc dd ee ff
    0000006
    $
    $ base64 sample
    qrvM3e7/
    $

    --> 'key:qrvM3e7/'

    This is how you can do conversion by dp:radix-convert() extension function:
    $ echo "<hex>AABBCCDDEEFF</hex>" | xpath++ "dp:radix-convert(., 16, 64)" -
    qrvM3e7/ 
    $
    


     
    Hermann <myXsltBlog/> <myXsltTweets/> <myCE/>
    Updated on 2014-03-25T02:38:21Z at 2014-03-25T02:38:21Z by iron-man
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-05T22:25:24Z  
    • HermannSW
    • ‏2013-03-01T21:48:55Z
    --> 'hex:AABBCCDDEEFF'

    $ od -tx1 sample
    0000000 aa bb cc dd ee ff
    0000006
    $
    $ base64 sample
    qrvM3e7/
    $

    --> 'key:qrvM3e7/'

    This is how you can do conversion by dp:radix-convert() extension function:
    <pre class="java dw" data-editor-lang="java" data-pbcklang="java" dir="ltr">$ echo "<hex>AABBCCDDEEFF</hex>" | xpath++ "dp:radix-convert(., 16, 64)" - qrvM3e7/ $ </pre>

     
    Hermann <myXsltBlog/> <myXsltTweets/> <myCE/>
    Ok. I've been comparing my DataPower results and my .NET client results with the sample generator at this site:
    http://www.freeformatter.com/hmac-generator.html

    So - If I use the following values:
    Message: a
    Key: a
    Digest: SHA1
    The resulting hmac (hex) value is: 3902ed847ff28930b5f141abfa8b471681253673
    Or as a base64 string is OQLthH/yiTC18UGr+otHFoElNnM=
    This is exactly the same as I get from my .NET client.

    BUT Using this in DataPower:
    <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'a', 'a')"/>
    Results in this:
    f5hBCfOXWfP0HboE9Rg3QeNvFEU=

    Why would this be different? What am I missing?
  • HermannSW
    HermannSW
    4747 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-05T23:51:12Z  
    • alanholc
    • ‏2013-03-05T22:25:24Z
    Ok. I've been comparing my DataPower results and my .NET client results with the sample generator at this site:
    http://www.freeformatter.com/hmac-generator.html

    So - If I use the following values:
    Message: a
    Key: a
    Digest: SHA1
    The resulting hmac (hex) value is: 3902ed847ff28930b5f141abfa8b471681253673
    Or as a base64 string is OQLthH/yiTC18UGr+otHFoElNnM=
    This is exactly the same as I get from my .NET client.

    BUT Using this in DataPower:
    <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'a', 'a')"/>
    Results in this:
    f5hBCfOXWfP0HboE9Rg3QeNvFEU=

    Why would this be different? What am I missing?
    Your online tool, wikipedia samples
    http://en.wikipedia.org/wiki/Hash-based_message_authentication_code#Examples_of_HMAC_.28MD5.2C_SHA1.2C_SHA256.29

    OpenSSL and DataPower all do the same:
    
    $ echo -n 
    "The quick brown fox jumps over the lazy dog" | openssl sha1 -hmac 
    "key" (stdin)= de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9 $ $ coproc2 hmac.xsl empty.xml http:
    //dp2-l3:2223 ; echo DE7C9B85B8B78AA6BC8A7A36F70A90701C9DB4D9 $ $ cat hmac.xsl <xsl:stylesheet version=
    "1.0" xmlns:xsl=
    "http://www.w3.org/1999/XSL/Transform" xmlns:dp=
    "http://www.datapower.com/extensions" extension-element-prefixes=
    "dp" > <xsl:output omit-xml-declaration=
    "yes" /> <xsl:template match=
    "/"> <xsl:variable name=
    "algorithm" select=
    " 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' "/> <xsl:variable name=
    "key" select=
    " 'hex:6B6579' "/>  <!-- 
    'key' --> <xsl:variable name=
    "text" select=
    " 'The quick brown fox jumps over the lazy dog' "/>   <xsl:variable name=
    "hmac64" select=
    "dp:hmac($algorithm, $key, $text)"/> <xsl:value-of select=
    "dp:radix-convert($hmac64, 64, 16)"/>   </xsl:template> </xsl:stylesheet> $
    

    The documentation says $key you have to use prefixes (name/key/hex).
    It seems to work without the prefixes as well (as long as the key is a valid XML string, 'key' in example)

     
    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-06T00:18:56Z  
    • HermannSW
    • ‏2013-03-05T23:51:12Z
    Your online tool, wikipedia samples
    http://en.wikipedia.org/wiki/Hash-based_message_authentication_code#Examples_of_HMAC_.28MD5.2C_SHA1.2C_SHA256.29

    OpenSSL and DataPower all do the same:
    <pre class="jive-pre"> $ echo -n "The quick brown fox jumps over the lazy dog" | openssl sha1 -hmac "key" (stdin)= de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9 $ $ coproc2 hmac.xsl empty.xml http: //dp2-l3:2223 ; echo DE7C9B85B8B78AA6BC8A7A36F70A90701C9DB4D9 $ $ cat hmac.xsl <xsl:stylesheet version= "1.0" xmlns:xsl= "http://www.w3.org/1999/XSL/Transform" xmlns:dp= "http://www.datapower.com/extensions" extension-element-prefixes= "dp" > <xsl:output omit-xml-declaration= "yes" /> <xsl:template match= "/"> <xsl:variable name= "algorithm" select= " 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' "/> <xsl:variable name= "key" select= " 'hex:6B6579' "/> <!-- 'key' --> <xsl:variable name= "text" select= " 'The quick brown fox jumps over the lazy dog' "/> <xsl:variable name= "hmac64" select= "dp:hmac($algorithm, $key, $text)"/> <xsl:value-of select= "dp:radix-convert($hmac64, 64, 16)"/> </xsl:template> </xsl:stylesheet> $ </pre>
    The documentation says $key you have to use prefixes (name/key/hex).
    It seems to work without the prefixes as well (as long as the key is a valid XML string, 'key' in example)

     
    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
    That may have just uncovered something...
    If you change your key value from 'hex:6B6579' to 'key:key' you will get a different hash value...

    I need to try to convert my string values to hex and use that method... will see what I get then...
  • HermannSW
    HermannSW
    4747 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-06T08:19:56Z  
    • alanholc
    • ‏2013-03-06T00:18:56Z
    That may have just uncovered something...
    If you change your key value from 'hex:6B6579' to 'key:key' you will get a different hash value...

    I need to try to convert my string values to hex and use that method... will see what I get then...
    > ...
    > I need to try to convert my string values to hex and use that method... will see what I get then...
    >
    as I said above, as long as your key does only contain XML characters, you can just use it "as is".
    So select=" 'a' " in your example as well as select=" 'key' " in the Wikipedia example directly work without prefix.

    But if your key does contain Non-XML characters (nearly sure for randomly generated keys), then
    these keys need to be prefixed by "key:"/"hex:" if specified inside XSLT when base64-/hex-encoded.

     
    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-12T15:05:50Z  
    • HermannSW
    • ‏2013-03-06T08:19:56Z
    > ...
    > I need to try to convert my string values to hex and use that method... will see what I get then...
    >
    as I said above, as long as your key does only contain XML characters, you can just use it "as is".
    So select=" 'a' " in your example as well as select=" 'key' " in the Wikipedia example directly work without prefix.

    But if your key does contain Non-XML characters (nearly sure for randomly generated keys), then
    these keys need to be prefixed by "key:"/"hex:" if specified inside XSLT when base64-/hex-encoded.

     
    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
    Still got nowhere. The problem is with the way it encodes the ampersand character.
    Take the following examples - using the online HMAC generator and my .NET client, I get the same results:

    http://www.freeformatter.com/hmac-generator.html
    (SHA1)
    message: &
    secret: a
    HMAC: b485920df81b7a5a54191fb9df7e534cc82684bc

    .NET
    key: a
    message: &
    result: tIWSDfgbelpUGR+5335TTMgmhLw=
    (result in HEX): B4-85-92-0D-F8-1B-7A-5A-54-19-1F-B9-DF-7E-53-4C-C8-26-84-BC

    BUT, I can't get the same results with DataPower... regardless of which method I try... hex or base64...

    <xsl:text>DataPower Result base64 Jg== : </xsl:text>
    <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'key:Jg==', 'a')"/>

    DataPower Result base64 Jg== : FLDCXf/n5e6iEO4HaE3j19VO+bc=

    <xsl:text>DataPower Result hex 26: </xsl:text>
    <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'hex:26', 'a')"/>

    DataPower Result hex 26: FLDCXf/n5e6iEO4HaE3j19VO+bc=

    I've got a case open with IBM on this... will see what they come up with...
  • alanholc
    alanholc
    45 Posts

    Re: DP XB62 5.0 &#38; oAuth V1.0?

    ‏2013-03-12T15:40:34Z  
    • alanholc
    • ‏2013-03-12T15:05:50Z
    Still got nowhere. The problem is with the way it encodes the ampersand character.
    Take the following examples - using the online HMAC generator and my .NET client, I get the same results:

    http://www.freeformatter.com/hmac-generator.html
    (SHA1)
    message: &
    secret: a
    HMAC: b485920df81b7a5a54191fb9df7e534cc82684bc

    .NET
    key: a
    message: &
    result: tIWSDfgbelpUGR+5335TTMgmhLw=
    (result in HEX): B4-85-92-0D-F8-1B-7A-5A-54-19-1F-B9-DF-7E-53-4C-C8-26-84-BC

    BUT, I can't get the same results with DataPower... regardless of which method I try... hex or base64...

    <xsl:text>DataPower Result base64 Jg== : </xsl:text>
    <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'key:Jg==', 'a')"/>

    DataPower Result base64 Jg== : FLDCXf/n5e6iEO4HaE3j19VO+bc=

    <xsl:text>DataPower Result hex 26: </xsl:text>
    <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'hex:26', 'a')"/>

    DataPower Result hex 26: FLDCXf/n5e6iEO4HaE3j19VO+bc=

    I've got a case open with IBM on this... will see what they come up with...
    Oh my word...
    Nevermind... it just slapped me right in the face - I can't believe I would mess that up...

    I had the values reversed...

    I'm going to go crawl back under a rock now... yeesh...