Topic
  • 8 replies
  • Latest Post - ‏2014-04-23T19:00:40Z by tallurisri
Datapowerforum
Datapowerforum
47 Posts

Pinned topic OAuth related Error while trying to generate Token during Authorization

‏2014-04-10T09:48:19Z |

Hi ,

I am using the following link to implement Oauth,

http://www.ibm.com/developerworks/websphere/library/techarticles/1208_yeh/1208_yeh.html#_Step_1:_Client

I have used same configurations to implement "getAccessToken" part but getting an error at authorization.

Please find the below details,

Curl script using to invoke service is below:

curl -v -k --insecure http://XXXXXXXX:XXXX/token -d "grant_type=client_credentials&scope=getAccount" -H "Authorization: Basic QWxpY2U6cGFzc3cwcmQ="
 

Error:

* About to connect() to XXXXXXX port XXXX
*   Trying  XXXXXXX... connected
* Connected to  XXXXXXX ( XXXXXXX) port XXXX

> POST /token HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: XXXXXXX:XXXX
> Accept: */*
> Authorization: Basic QWxpY2U6cGFzc3cwcmQ=
> Content-Length: 46
> Content-Type: application/x-www-form-urlencoded
>
> grant_type=client_credentials&scope=getAccountHTTP/1.1 400 Processed
< X-Backside-Transport: FAIL FAIL
< Connection: Keep-Alive
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=UTF-8
< Cache-Control: no-store
< Pragma: no-cache
* Connection #0 to host 1XXXXXXX left intact
* Closing connection #0
{ "error":"unauthorized_client", "error_description":"not authorized for the resources" }$

  • shiufun
    shiufun
    70 Posts

    Re: OAuth related Error while trying to generate Token during Authorization

    ‏2014-04-15T20:25:31Z  

    This seems like a configuration issue..  What is the AAA setting that you have ? And what version of firmware ?

  • Datapowerforum
    Datapowerforum
    47 Posts

    Re: OAuth related Error while trying to generate Token during Authorization

    ‏2014-04-16T09:22:07Z  
    • shiufun
    • ‏2014-04-15T20:25:31Z

    This seems like a configuration issue..  What is the AAA setting that you have ? And what version of firmware ?

    Hi shiufun,

               There was some namespace error in AAA which got sorted out now. But now i stuck  up with another issue.

             Need some idea for getting OAuth code, which can be used to get Access token.

           So here my concern is how to implement in MPG to get Oauth code. We are using Curl script to pass request .

      Kindly provide me some input, how to proceed to generate OAuth token and i need the curl script . we are using XI52 5.0

     

     

     

  • tallurisri
    tallurisri
    105 Posts

    Re: OAuth related Error while trying to generate Token during Authorization

    ‏2014-04-17T01:43:30Z  

    Hi shiufun,

               There was some namespace error in AAA which got sorted out now. But now i stuck  up with another issue.

             Need some idea for getting OAuth code, which can be used to get Access token.

           So here my concern is how to implement in MPG to get Oauth code. We are using Curl script to pass request .

      Kindly provide me some input, how to proceed to generate OAuth token and i need the curl script . we are using XI52 5.0

     

     

     

    Hi Experts, 

    I am trying to configure OAuth using DataPower as an enforcement point for resource server.

    We are using Ping Federate as a OAuth authorization server, we are thinking to do access token verification using DataPower as enforcement point.

    I am following part#7 article:

    Using OAuth on IBM WebSphere DataPower Appliances, Part 7: Using DataPower with Tivoli Federated Identity Manager to support OAuth 2.0

    But this article only allowing me to configure FIM endpoint using Tivoli Federated Identity Manager as OAuth authorization server.

    Can you please help me to configure Ping server as OAuth authorization server. 

    Thanks,

    Sri.

     

     

  • shiufun
    shiufun
    70 Posts

    Re: OAuth related Error while trying to generate Token during Authorization

    ‏2014-04-17T03:58:42Z  

    Hi shiufun,

               There was some namespace error in AAA which got sorted out now. But now i stuck  up with another issue.

             Need some idea for getting OAuth code, which can be used to get Access token.

           So here my concern is how to implement in MPG to get Oauth code. We are using Curl script to pass request .

      Kindly provide me some input, how to proceed to generate OAuth token and i need the curl script . we are using XI52 5.0

     

     

     

    Please advise on the version of the firmware that you are using.. for the authorization code grant type, there is an authorization/consent form in the OAuth's dance.  If you are using 6.0.0 and later, you can use preapproval support to by-pass that. In addition to that, the resource owner has to be able to authenticate successfully (and potentially authotized to the resource in the first place).

    So in you configuration for the AAA for authorization code grant type, if you use 'basic authentication' for resource owner.. you can do sometihng like this..  (with alice being your resource owner)

    curl -k -v https://dp:port/authz --data "client_id=xxx&client_secret=xxx&redirect_uri=https//youclient.com/redirect&scope=yourscope&response_type=code"  --user alice:password"

  • shiufun
    shiufun
    70 Posts

    Re: OAuth related Error while trying to generate Token during Authorization

    ‏2014-04-17T04:01:47Z  

    Hi Experts, 

    I am trying to configure OAuth using DataPower as an enforcement point for resource server.

    We are using Ping Federate as a OAuth authorization server, we are thinking to do access token verification using DataPower as enforcement point.

    I am following part#7 article:

    Using OAuth on IBM WebSphere DataPower Appliances, Part 7: Using DataPower with Tivoli Federated Identity Manager to support OAuth 2.0

    But this article only allowing me to configure FIM endpoint using Tivoli Federated Identity Manager as OAuth authorization server.

    Can you please help me to configure Ping server as OAuth authorization server. 

    Thanks,

    Sri.

     

     

    Sri,

    The best way is to use the customized oauth client support, provide the support for the operation, verify-access-token, with call to ping federation with url-open call.

    Kind Regards.

     

  • tallurisri
    tallurisri
    105 Posts

    Re: OAuth related Error while trying to generate Token during Authorization

    ‏2014-04-17T18:12:40Z  
    • shiufun
    • ‏2014-04-17T04:01:47Z

    Sri,

    The best way is to use the customized oauth client support, provide the support for the operation, verify-access-token, with call to ping federation with url-open call.

    Kind Regards.

     

    Hi Shiufun,

    Thanks for your quick response, Can you please explain me what are the steps i need to do in AAA policy configuration to verify access-token with Ping server. 

     

    Thanks,

    Sri. 

     

  • tallurisri
    tallurisri
    105 Posts

    Re: OAuth related Error while trying to generate Token during Authorization

    ‏2014-04-17T18:14:01Z  
    • shiufun
    • ‏2014-04-17T04:01:47Z

    Sri,

    The best way is to use the customized oauth client support, provide the support for the operation, verify-access-token, with call to ping federation with url-open call.

    Kind Regards.

     

    Hi Shiufun,

    Thanks for your quick response, Can you please explain me what are the steps i need to do in AAA policy configuration to verify access-token with Ping server. 

     

    Thanks,

    Sri. 

     

  • tallurisri
    tallurisri
    105 Posts

    Re: OAuth related Error while trying to generate Token during Authorization

    ‏2014-04-23T19:00:40Z  
    • shiufun
    • ‏2014-04-17T03:58:42Z

    Please advise on the version of the firmware that you are using.. for the authorization code grant type, there is an authorization/consent form in the OAuth's dance.  If you are using 6.0.0 and later, you can use preapproval support to by-pass that. In addition to that, the resource owner has to be able to authenticate successfully (and potentially authotized to the resource in the first place).

    So in you configuration for the AAA for authorization code grant type, if you use 'basic authentication' for resource owner.. you can do sometihng like this..  (with alice being your resource owner)

    curl -k -v https://dp:port/authz --data "client_id=xxx&client_secret=xxx&redirect_uri=https//youclient.com/redirect&scope=yourscope&response_type=code"  --user alice:password"

    Hi Shiufun,

    I am trying to implement OAuth on DataPower XI52 6.0.0.2. 

    I created WTS service to use DataPower as authorization server, implemented oauth clients to accept grant type as client_credential.

    I configured AAA policy to handle authorization using local aaainfo.xml file. 

    It seems service is working fine and am able to get access tokens, but no authentication or authorization was not happening in AAA. I am getting access tokens also in authentication/authorization failure scenario.

    I followed this link http://www.ibm.com/developerworks/websphere/library/techarticles/1208_yeh/1208_yeh.html to configure OAuth.

    Please share your suggestions to fix(authorization check should work) this issue.

    Thank You.

    Sri. 

     

     

    Updated on 2014-04-25T13:28:01Z at 2014-04-25T13:28:01Z by tallurisri