This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to use OAuth 2.0 with Application Server via RESTful API

Hi,

Currently we have an application that communicates with the 1IM system via the RESTful API provided by the application server. This communication is currently done via the RoleBasedEmployee Authentication Module. 

We are looking into changing this so the application uses the OAuth2.0Rolebased Authentication Module.

I have managed to enable the OAuth2.0 authentication module itself, this was easy enough. However the next step seems to be rather unclear in the current documentation. Within designer > configuration parameters > Person there is a parameter called OAuthAuthenticator, followed by many OAuth specific parameters. I know I have to enable this to allow a user to login via the RESTful API using OAuth2.0.
Where I am getting stuck / failing to understand is what I need to get OAuth2.0 working with those configuration parameters. 

Does 1IM come with an identity provider / service internally for OAuth2.0? Or do we need to implement one / use an external provider such as google etc...?

Any insight or help is greatly appreciated.

Thank you.

Ash

  • The OAuth / OpenID Connect authenticator acts as client so you still need an identity provider.

    One Identity Manager comes with a leight-weight identity provider that connects to an AD domain out-of-the box. You will find that STS in the Autorun of the OneIM delivery underneath other products.

     

    In addition, you find more information about the configuration parameters for the OAuth / OpenID Connect authenticator in the documentation.

    https://support.quest.com/technical-documents/identity-manager/7.1.1/identity-management-base-module-administration-guide/22#TOPIC-666174

  • Thanks for the reply Markus,

    I have succesfully installed.
    Is there any documentation on how the STS works? In regards to what format my http calls to the login / token end point should look like and what response is expected etc? A bit how its documented within the API Rest documentation.
  • RSTS's default configuration includes a Microsoft Active Directory provider configured to connect to the Active Directory domain to which the RSTS server machine is joined. No additional configuration is required to use this default provider to authenticate users against the joined domain and retrieve user attributes and group membership information.

    You will find a technical documentation on the product DVD \Modules\QBM\install\bin\DellRSTS.chM

    But, if you use the installer i have posted, the installer will configure everything in One Identity Manager to talk to the rSTS using OAuth 2.0. But the information you seek should also be included in this document.

  • Thanks again for the quick response Markus, its greatly appreciated.

    I have read and used the technical documentation for Dell STS.
    I have successfully performed a full OAuth workflow with only the Dell STS, by that I mean direct HTTP requests and such with the dell sts.
    Now the last part that I seem to not quite get working is authenticating with the RESTful API (on applcation server) using the OAuth Authentication Module.

    I shall describe my attempts:

    I Perform the Authentication with STS to obtain OAuthCode.
    I do this forexample over dell2012svr2.dell.iamdemo.int/.../login

    I get the code which starts with eyJ0eXAiOi.... (wont list out the whole thing)

    Now I want to use the oauth code with the OAuth module for authenticating via the API:
    The OAuth Authentication module details:
    [
    {
    "id": "OAuth",
    "caption": "OAuth 2.0 / OpenID Connect",
    "authTemplate": "Module=OAuth;(OAuth2Code)Code=;(Hidden)AppUrl=;(Hidden)ClientId=;(Hidden)Nonce=;(Hidden)RedirectUri=",
    "passwordBased": false,
    "isDefault": false
    }
    ]

    I do a POST call to 192.168.42.176/.../apphost with the body of
    {"authString":"Module=OAuth;Code=eyJ0eXAiOi..."}

    However at this point the API responds with:
    {
    "responseStatus": {
    "message": "An error occured."
    },
    "errorString": "An error occured.",
    "exceptions": [
    {
    "number": 2072000,
    "message": "An error occured."
    }
    ]
    }

    I have also tried:
    {"authString":"Module=OAuth;Code=eyJ0eXAiOi...;RedirectUri=urn:InstalledApplication"}

    As state before I have succefully performed the whole OAuth workflow (authenticate, get code, get token ...) with purely talking to the Dell STS but my current use case is to authenticate with the RESTfulAPI on the application server using OAuth.

    I feel like I am very close to reaching the end goal.

    Thanks again

    Ash
  • Hi Ash,

    it would be helpful if you would take a look at the log-file at the application server to get the error details. For security reason the Application Server does not present you detailed error messages.

    Or you can put the Application Server into debug mode, which enables the returning of the complete error message. Ensure that this is turned off at any time in a production or public environment.

    You will find the switch in the web.config of the Application Server in the <server> section.

    <server>
        <!-- Enable debug mode. This enables sending of technical exceptions to the client. -->
        <!-- ATTENTION: This allows error-based attacks against the database! -->
        <!--<add key="debugmode" value="false"/>-->
    </server>
    

    And as you have already figured out, the authentifier needs some additional parameters that need to be set accordingly.

    • Code: Set this to the Authorization Code you got from the STS.
    • AppUrl: URL of the application found in the table QBMWebApplication to use the correct configuration settings for a specific web application or leave out if settings from global Config Parms should be used
    • ClientId: ClientId as defined in the STS
    • Nonce: If you have used a Nonce to get the auth. code use the same here
    • RedirectUri:  the same as you have used in your test to connect to STS directly. I think in your case urn:InstalledApplication

    But i would check the error message first. Maybe your client is unable to check the signature of the token due to certificate issues.

    HtH

  • Hi Markus

    Sorry for long delay, other work came in the way and such, anyway,

    I greatly appreciate all the help you have provided through the entire time, I got it to finally work. In the end the issue was that was just using the OAuth authentication module.
    When i tried it with the OAuth 2.0 (role based) authentication module it worked.

    Thanks again,

    Ash
  • I have Oauth2 working with both ITshop and the Application server via their respective web interfaces. I am trying to make API calls via Postman using an existing Oauth2 token in v7.1.2. I have been trying this string: {"authString":"Module=OAuthRoleBased;Code=E2-rs4BmRnpFFIah9Y9L7kzrWz4;RedirectUri=http://web.d1im.local/D1IMAppServer/login"}; "Should" this work? This token/code is from my Oauth2 provider. The error I get from the logs: 

    "---> (Inner Exception #0) VI.Base.ViException: Failed to authenticate user. ---> QER.OAuthAuthentifier.OAuth2Exception: invalid_grant. Token is not an authorization code token: E2-rs4BmRnpFFIah9Y9L7kzrWz4" 

    or depending on which redirect URL I use: 

    "---> (Inner Exception #0) VI.Base.ViException: Failed to authenticate user. ---> QER.OAuthAuthentifier.OAuth2Exception: invalid_grant. The provided access grant is invalid, expired, or revoked."

    What would Oauth2 API authentication steps look like? I currently authenticate using the same clientid in my app, then use the token returned from that in this call. 

  • The code parameter in the authentication string expects the authorization code, not the access token.

  • Passing the Authorization code I get back: 

    "{
    "responseStatus": {
    "errorCode": "ViException",
    "message": "Failed to authenticate user.",
    "errors": []
    }
    }

  • What is the log on the application server saying? It should contain more details.