Topic
15 replies Latest Post - ‏2013-03-12T15:40:34Z by alanholc
alanholc
alanholc
36 Posts
ACCEPTED ANSWER

Pinned topic DP XB62 5.0 & oAuth V1.0?

‏2013-02-22T17:13:47Z |
I'm trying to build a proxy for an external service which uses oAuth V1 (this is a subscription service which we subscribe to - we have no control over it.)
Internal clients (ignorant of the credentials) should be able to call the service from DataPower and DP will handle the authorization. I've searched around to see how I can make this work but everything I find is limited to oAuth V2...
Any thoughts?
Updated on 2013-03-12T15:40:34Z at 2013-03-12T15:40:34Z by alanholc
  • alanholc
    alanholc
    36 Posts
    ACCEPTED ANSWER

    Re: DP XB62 5.0 & oAuth V1.0?

    ‏2013-02-27T16:10:34Z  in response to alanholc
    Ok - I've gotten as far as generating the signature and I've hit this...
    Code excerpt:
    <xsl:variable name="oAuthSignature"
    select="dp:hmac('http//www.w3.org/2000/09/xmldsig#hmac-sha1',
    $oAuthSecret,
    $oAuthSigBase)"/>

    And the error I get:
    Unknown HMAC SignatureMethod algorithm: 'http//www.w3.org/200'

    Is there something here that I'm just not seeing?
    This is on an XB62, 5.0.0.1 firmware.
    • HermannSW
      HermannSW
      4238 Posts
      ACCEPTED ANSWER

      Re: DP XB62 5.0 &#38; oAuth V1.0?

      ‏2013-02-27T16:28:34Z  in response to alanholc
      OAuth support has been added to DataPower with v5 firmware, see release notes:
      http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2FrelnotesXI.html

      But only support for OAuth 2.0, no v1.

      Here is the first of a series of 7 developerWorks articles on OAuth 2.0 and DataPower:
      http://www.ibm.com/developerworks/websphere/library/techarticles/1208_rasmussen/1208_rasmussen.html

       
      Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
      • alanholc
        alanholc
        36 Posts
        ACCEPTED ANSWER

        Re: DP XB62 5.0 &#38; oAuth V1.0?

        ‏2013-02-27T16:32:06Z  in response to HermannSW
        Pretty sure I can get my proxy working.
        My current particular issue is with this function...
        http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2Fextensionfunctions148.htm&path%3D4_4_1_5_1

        Not sure why I'm getting the error.
        • alanholc
          alanholc
          36 Posts
          ACCEPTED ANSWER

          Re: DP XB62 5.0 &#38; oAuth V1.0?

          ‏2013-02-27T16:36:30Z  in response to alanholc
          Sorry... wrong link...
          Where's the edit message link??

          This is the correct link...

          http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/topic/com.ibm.dp.xi.doc/extensionfunctions123.htm?path=4_4_1_4_33#hmac_function
    • alanholc
      alanholc
      36 Posts
      ACCEPTED ANSWER

      Re: DP XB62 5.0 &#38; oAuth V1.0?

      ‏2013-03-01T05:18:06Z  in response to alanholc
      Finally got past the HMAC-SHA1 issue... no idea why it was occurring, but I deleted the stylesheet and reloaded and that fixed it.
      Now I'm at the last step of generating the oAuth signature...
      In order to generate the signature correctly I have to pass the secret key followed by an ampersand...
      (See this link - http://integr8consulting.blogspot.com/2011/11/technical-using-rest-web-services-with.html )
      Well, I can pass the key alone without issue...
      But when I add the ampersand, I get this...
      “*base64 decode of shared secret key failed*”
      And I'm running out of ideas to try...
      Code is the same as above only I'm concatenating '&' to $oAuthSecret...
      • HermannSW
        HermannSW
        4238 Posts
        ACCEPTED ANSWER

        Re: DP XB62 5.0 &#38; oAuth V1.0?

        ‏2013-03-01T08:19:45Z  in response to alanholc
        ...
        > Well, I can pass the key alone without issue...
        > But when I add the ampersand, I get this...
        > “*base64 decode of shared secret key failed*”
        > And I'm running out of ideas to try...
        > Code is the same as above only I'm concatenating '&' to $oAuthSecret...

        Which method to specify the key do you use, name/key/hex?
        How do you append & exactly?
        (please enclose code in {​code}...{​code} sections and use preview to make sure your posting displays as you intend before submit)

        From hmac() InfoCenter:
        ...
        key
        (xs:string) Specifies the session key used by algorithm to encrypt text. Use one of the following prefixes to refer to a shared secret key:
        • name:key, such as name:alice, that refers to an already configured shared secret key object named alice.
        • key:Base64 refers to a Base64-encoded literal that is the shared secret key. If you enter Base64 without the key: prefix, the function uses Base64 as the key.
        • hex:hex refers to a hex-encoded literal that is the shared secret key.

         
        Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
        • alanholc
          alanholc
          36 Posts
          ACCEPTED ANSWER

          Re: DP XB62 5.0 &#38; oAuth V1.0?

          ‏2013-03-01T15:01:29Z  in response to HermannSW
          Appreciate the response.
          I've read that function description about a hundred times now.
          I'm not passing a prefix, only the variable name.
          I've tried several methods of adding the &...
          The value of $oAuthSecret is obviously a hex string (0EAADA... etc)
          When I try adding the prefix as in ' hex:$oAuthSecret '
          I get a fatal error - 'Unbound prefix: hex'.
          IBM's code example on the function description does not help much...

          I'm currently looking for a way to convert the hex string to base64 so I can pass it to hmac() without using a prefix...

          If you have a good example for converting say '64744c5040b247bf26' to base64 I'd love to see that.
          • alanholc
            alanholc
            36 Posts
            ACCEPTED ANSWER

            Re: DP XB62 5.0 &#38; oAuth V1.0?

            ‏2013-03-01T16:08:28Z  in response to alanholc
            I guess what I really need right now is a good lesson on how to define a parameter or variable with a hex value...
            Should I add the key: prefix in the variable? And should the variable begin with 0x?
            So... which is correct?
            1 - <xsl:variable name="var" select="'key:0xAABBCCDDEEFF'"/>
            2 - <xsl:variable name="var" select="'0xAABBCCDDEEFF'"/>
            3 - <xsl:variable name="var" select="'AABBCCDDEEFF'"/>
            • HermannSW
              HermannSW
              4238 Posts
              ACCEPTED ANSWER

              Re: DP XB62 5.0 &#38; oAuth V1.0?

              ‏2013-03-01T21:48:55Z  in response to alanholc
              --> 'hex:AABBCCDDEEFF'

              $ od -tx1 sample
              0000000 aa bb cc dd ee ff
              0000006
              $
              $ base64 sample
              qrvM3e7/
              $

              --> 'key:qrvM3e7/'

              This is how you can do conversion by dp:radix-convert() extension function:
              $ echo "<hex>AABBCCDDEEFF</hex>" | xpath++ "dp:radix-convert(., 16, 64)" -
              qrvM3e7/ 
              $
              


               
              Hermann <myXsltBlog/> <myXsltTweets/> <myCE/>
              Updated on 2014-03-25T02:38:21Z at 2014-03-25T02:38:21Z by iron-man
              • alanholc
                alanholc
                36 Posts
                ACCEPTED ANSWER

                Re: DP XB62 5.0 &#38; oAuth V1.0?

                ‏2013-03-05T22:25:24Z  in response to HermannSW
                Ok. I've been comparing my DataPower results and my .NET client results with the sample generator at this site:
                http://www.freeformatter.com/hmac-generator.html

                So - If I use the following values:
                Message: a
                Key: a
                Digest: SHA1
                The resulting hmac (hex) value is: 3902ed847ff28930b5f141abfa8b471681253673
                Or as a base64 string is OQLthH/yiTC18UGr+otHFoElNnM=
                This is exactly the same as I get from my .NET client.

                BUT Using this in DataPower:
                <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'a', 'a')"/>
                Results in this:
                f5hBCfOXWfP0HboE9Rg3QeNvFEU=

                Why would this be different? What am I missing?
                • HermannSW
                  HermannSW
                  4238 Posts
                  ACCEPTED ANSWER

                  Re: DP XB62 5.0 &#38; oAuth V1.0?

                  ‏2013-03-05T23:51:12Z  in response to alanholc
                  Your online tool, wikipedia samples
                  http://en.wikipedia.org/wiki/Hash-based_message_authentication_code#Examples_of_HMAC_.28MD5.2C_SHA1.2C_SHA256.29

                  OpenSSL and DataPower all do the same:
                  
                  $ echo -n 
                  "The quick brown fox jumps over the lazy dog" | openssl sha1 -hmac 
                  "key" (stdin)= de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9 $ $ coproc2 hmac.xsl empty.xml http:
                  //dp2-l3:2223 ; echo DE7C9B85B8B78AA6BC8A7A36F70A90701C9DB4D9 $ $ cat hmac.xsl <xsl:stylesheet version=
                  "1.0" xmlns:xsl=
                  "http://www.w3.org/1999/XSL/Transform" xmlns:dp=
                  "http://www.datapower.com/extensions" extension-element-prefixes=
                  "dp" > <xsl:output omit-xml-declaration=
                  "yes" /> <xsl:template match=
                  "/"> <xsl:variable name=
                  "algorithm" select=
                  " 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' "/> <xsl:variable name=
                  "key" select=
                  " 'hex:6B6579' "/>  <!-- 
                  'key' --> <xsl:variable name=
                  "text" select=
                  " 'The quick brown fox jumps over the lazy dog' "/>   <xsl:variable name=
                  "hmac64" select=
                  "dp:hmac($algorithm, $key, $text)"/> <xsl:value-of select=
                  "dp:radix-convert($hmac64, 64, 16)"/>   </xsl:template> </xsl:stylesheet> $
                  

                  The documentation says $key you have to use prefixes (name/key/hex).
                  It seems to work without the prefixes as well (as long as the key is a valid XML string, 'key' in example)

                   
                  Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
                  • alanholc
                    alanholc
                    36 Posts
                    ACCEPTED ANSWER

                    Re: DP XB62 5.0 &#38; oAuth V1.0?

                    ‏2013-03-06T00:18:56Z  in response to HermannSW
                    That may have just uncovered something...
                    If you change your key value from 'hex:6B6579' to 'key:key' you will get a different hash value...

                    I need to try to convert my string values to hex and use that method... will see what I get then...
                    • HermannSW
                      HermannSW
                      4238 Posts
                      ACCEPTED ANSWER

                      Re: DP XB62 5.0 &#38; oAuth V1.0?

                      ‏2013-03-06T08:19:56Z  in response to alanholc
                      > ...
                      > I need to try to convert my string values to hex and use that method... will see what I get then...
                      >
                      as I said above, as long as your key does only contain XML characters, you can just use it "as is".
                      So select=" 'a' " in your example as well as select=" 'key' " in the Wikipedia example directly work without prefix.

                      But if your key does contain Non-XML characters (nearly sure for randomly generated keys), then
                      these keys need to be prefixed by "key:"/"hex:" if specified inside XSLT when base64-/hex-encoded.

                       
                      Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>
                      • alanholc
                        alanholc
                        36 Posts
                        ACCEPTED ANSWER

                        Re: DP XB62 5.0 &#38; oAuth V1.0?

                        ‏2013-03-12T15:05:50Z  in response to HermannSW
                        Still got nowhere. The problem is with the way it encodes the ampersand character.
                        Take the following examples - using the online HMAC generator and my .NET client, I get the same results:

                        http://www.freeformatter.com/hmac-generator.html
                        (SHA1)
                        message: &
                        secret: a
                        HMAC: b485920df81b7a5a54191fb9df7e534cc82684bc

                        .NET
                        key: a
                        message: &
                        result: tIWSDfgbelpUGR+5335TTMgmhLw=
                        (result in HEX): B4-85-92-0D-F8-1B-7A-5A-54-19-1F-B9-DF-7E-53-4C-C8-26-84-BC

                        BUT, I can't get the same results with DataPower... regardless of which method I try... hex or base64...

                        <xsl:text>DataPower Result base64 Jg== : </xsl:text>
                        <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'key:Jg==', 'a')"/>

                        DataPower Result base64 Jg== : FLDCXf/n5e6iEO4HaE3j19VO+bc=

                        <xsl:text>DataPower Result hex 26: </xsl:text>
                        <xsl:value-of select="dp:hmac('http://www.w3.org/2000/09/xmldsig#hmac-sha1', 'hex:26', 'a')"/>

                        DataPower Result hex 26: FLDCXf/n5e6iEO4HaE3j19VO+bc=

                        I've got a case open with IBM on this... will see what they come up with...
                        • alanholc
                          alanholc
                          36 Posts
                          ACCEPTED ANSWER

                          Re: DP XB62 5.0 &#38; oAuth V1.0?

                          ‏2013-03-12T15:40:34Z  in response to alanholc
                          Oh my word...
                          Nevermind... it just slapped me right in the face - I can't believe I would mess that up...

                          I had the values reversed...

                          I'm going to go crawl back under a rock now... yeesh...