ratclma Absent Member.
Absent Member.

Re: test Oauth with curl


sebastijan;274336 Wrote:
> edmaa;2449647 Wrote:
> > On 1/27/2017 12:36 AM, sebastijan wrote:
> > >
> > > edmaa;2449569 Wrote:
> > >> On 1/26/2017 8:55 PM, Edward van der Maas wrote:
> > >> Sorry, that was a incomplete answer there. I forgot to add that

> the
> > curl
> > >> command above triggers a redirect to a login URL which is

> something
> > I'm
> > >> not sure is expected.
> > >>
> > >
> > > As far as I can understand OAuth, authorization code
> > > (response_type=code) and implicit (response_type=roken) grant type
> > > always redirect to login URL.
> > > After successful authentication user should be redirected back to
> > > redirect_uri, which should be client application.
> > >
> > > regs s
> > >
> > >

> >
> > If i use the implicit flow and post the credentials at the same time

> it
> > works fine.
> >

>
> Interesting, with my NAM I get redirected to login window
> (/nidp/app/login).
> Command:
>
> Code:
> --------------------
>
> curl -kvv -X POST -d "username=user&password=badpassword"
> "https://idp.site.com/nidp/oauth/nam/authz?response_type=token&scope=myScope&client_id=5b9ecc87-f673-4fc6-ad58-48d722ccbc56&redirect_uri=https://client.example.org/callback&state=1234"
>
> --------------------
>
>
> returns:
>
> Code:
> --------------------
>
> < HTTP/1.1 302 Found
> < Date: Fri, 27 Jan 2017 07:26:45 GMT
> < Strict-Transport-Security: max-age=31536000;includeSubDomains
> < X-FRAME-OPTIONS: SAMEORIGIN
> < Strict-Transport-Security: max-age=31536000
> < X-Content-Type-Options: nosniff
> < X-XSS-Protection: 1; mode=block
> < Set-Cookie: JSESSIONID=7B85AD728C7431BBCFD5574B0C86012E; Path=/nidp/;
> Secure; HttpOnly
> < Cache-Control: no-cache, no-store, no-transform
> < Location: http://tinyurl.com/jtvnzgf
> < Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
> < Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type,
> Accept, Authorization
> < Content-Length: 0
> < X-Mag:
> C086B6219F22D8C1;749fd1db;164101;usrLkup->0;usrBase->0;getPRBefFind->0;getPRBefFind->0;PRAfterFind->0;nidp;publicURL->0;_nidp_;RwDis;FP2->0;FP4->7;
> < Via: 1.1 idp.site.com (Access Gateway-ag-C086B6219F22D8C1-164101)
>
> --------------------
>
>
> regs s
>
>
> --
> sebastijan
> ------------------------------------------------------------------------
> sebastijan's Profile: https://forums.novell.com/member.php?userid=1371
> View this thread: https://forums.novell.com/showthread.php?t=494552


So we cant use curl for testing the initial retrieval of the
authorisation code, we can if the grant type is Resource Owner
Credentials or Implicit Flow? I used firefox f12 to get an
authorization code and then was able to use curl to test retrieving the
token and for testing retrieving userinfo.


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=54418

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: test Oauth with curl

On 1/27/2017 9:09 PM, ratclma wrote:
>


> So we cant use curl for testing the initial retrieval of the
> authorisation code, we can if the grant type is Resource Owner
> Credentials or Implicit Flow? I used firefox f12 to get an
> authorization code and then was able to use curl to test retrieving the
> token and for testing retrieving userinfo.


Thats valid to do. The authorization code token isn't tied to anyone.
Once you have it you can request an access token and obtain the scope
information


--
Cheers,
Edward
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: test Oauth with curl

On 1/27/2017 9:09 PM, ratclma wrote:
>
>
> So we cant use curl for testing the initial retrieval of the
> authorisation code, we can if the grant type is Resource Owner
> Credentials or Implicit Flow? I used firefox f12 to get an
> authorization code and then was able to use curl to test retrieving the
> token and for testing retrieving userinfo.
>
>


So chatting with a few people who are a lot smarter than myself, the
OAUTH spec doesn't really dictate how authentication is suppose to
happen so NAM throwing up authentication when you hit the authz URL
could be because maybe its assumed you already have a session with NAM?
I'm not sure.

Can I ask what you are trying to achieve?



--
Cheers,
Edward
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: test Oauth with curl

On 1/27/2017 6:36 PM, sebastijan wrote:

> Interesting, with my NAM I get redirected to login window
> (/nidp/app/login).
> Command:
>
> Code:
> --------------------
>
> curl -kvv -X POST -d "username=user&password=badpassword" "https://idp.site.com/nidp/oauth/nam/authz?response_type=token&scope=myScope&client_id=5b9ecc87-f673-4fc6-ad58-48d722ccbc56&redirect_uri=https://client.example.org/callback&state=1234"
>
> --------------------
>
>
> returns:
>
> Code:
> --------------------
>
> < HTTP/1.1 302 Found
> < Date: Fri, 27 Jan 2017 07:26:45 GMT
> < Strict-Transport-Security: max-age=31536000;includeSubDomains
> < X-FRAME-OPTIONS: SAMEORIGIN
> < Strict-Transport-Security: max-age=31536000
> < X-Content-Type-Options: nosniff
> < X-XSS-Protection: 1; mode=block
> < Set-Cookie: JSESSIONID=7B85AD728C7431BBCFD5574B0C86012E; Path=/nidp/; Secure; HttpOnly
> < Cache-Control: no-cache, no-store, no-transform
> < Location: https://idp.site.com/nidp//app/login?target=https%3A%2F%2Fidp.site.com%2Fnidp%2Foauth%2Fnam%2Fauthz%3Fpassword%3Dbadpassword%26username%3Duser
> < Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
> < Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
> < Content-Length: 0
> < X-Mag: C086B6219F22D8C1;749fd1db;164101;usrLkup->0;usrBase->0;getPRBefFind->0;getPRBefFind->0;PRAfterFind->0;nidp;publicURL->0;_nidp_;RwDis;FP2->0;FP4->7;
> < Via: 1.1 idp.site.com (Access Gateway-ag-C086B6219F22D8C1-164101)
>

Thats not the implicit flow


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.