This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to use OAuth 2.0 with Application Server via RESTful API

Hi,

Currently we have an application that communicates with the 1IM system via the RESTful API provided by the application server. This communication is currently done via the RoleBasedEmployee Authentication Module. 

We are looking into changing this so the application uses the OAuth2.0Rolebased Authentication Module.

I have managed to enable the OAuth2.0 authentication module itself, this was easy enough. However the next step seems to be rather unclear in the current documentation. Within designer > configuration parameters > Person there is a parameter called OAuthAuthenticator, followed by many OAuth specific parameters. I know I have to enable this to allow a user to login via the RESTful API using OAuth2.0.
Where I am getting stuck / failing to understand is what I need to get OAuth2.0 working with those configuration parameters. 

Does 1IM come with an identity provider / service internally for OAuth2.0? Or do we need to implement one / use an external provider such as google etc...?

Any insight or help is greatly appreciated.

Thank you.

Ash

Parents
  • Hi Ash,

    it would be helpful if you would take a look at the log-file at the application server to get the error details. For security reason the Application Server does not present you detailed error messages.

    Or you can put the Application Server into debug mode, which enables the returning of the complete error message. Ensure that this is turned off at any time in a production or public environment.

    You will find the switch in the web.config of the Application Server in the <server> section.

    <server>
        <!-- Enable debug mode. This enables sending of technical exceptions to the client. -->
        <!-- ATTENTION: This allows error-based attacks against the database! -->
        <!--<add key="debugmode" value="false"/>-->
    </server>
    

    And as you have already figured out, the authentifier needs some additional parameters that need to be set accordingly.

    • Code: Set this to the Authorization Code you got from the STS.
    • AppUrl: URL of the application found in the table QBMWebApplication to use the correct configuration settings for a specific web application or leave out if settings from global Config Parms should be used
    • ClientId: ClientId as defined in the STS
    • Nonce: If you have used a Nonce to get the auth. code use the same here
    • RedirectUri:  the same as you have used in your test to connect to STS directly. I think in your case urn:InstalledApplication

    But i would check the error message first. Maybe your client is unable to check the signature of the token due to certificate issues.

    HtH

Reply
  • Hi Ash,

    it would be helpful if you would take a look at the log-file at the application server to get the error details. For security reason the Application Server does not present you detailed error messages.

    Or you can put the Application Server into debug mode, which enables the returning of the complete error message. Ensure that this is turned off at any time in a production or public environment.

    You will find the switch in the web.config of the Application Server in the <server> section.

    <server>
        <!-- Enable debug mode. This enables sending of technical exceptions to the client. -->
        <!-- ATTENTION: This allows error-based attacks against the database! -->
        <!--<add key="debugmode" value="false"/>-->
    </server>
    

    And as you have already figured out, the authentifier needs some additional parameters that need to be set accordingly.

    • Code: Set this to the Authorization Code you got from the STS.
    • AppUrl: URL of the application found in the table QBMWebApplication to use the correct configuration settings for a specific web application or leave out if settings from global Config Parms should be used
    • ClientId: ClientId as defined in the STS
    • Nonce: If you have used a Nonce to get the auth. code use the same here
    • RedirectUri:  the same as you have used in your test to connect to STS directly. I think in your case urn:InstalledApplication

    But i would check the error message first. Maybe your client is unable to check the signature of the token due to certificate issues.

    HtH

Children
No Data