This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
ggrabner
Absent Member.
Absent Member.
‎2019-01-22 07:06
627 views

REST Driver and OAuth generate token Authentication

Hi all,

I am struggling with the REST driver (1.0.2.0) . For a client in need to connect to an application which uses generate authentication token. In short, i need to authenticate to a authentication URL first using username and password, get the token and then use the token for the session.

I managed to get the token using postmen. This is the request i used

POST /auth/oauth/v2/token HTTP/1.1
Host: accounts.acceptance.dex.adp.com
Authorization: Basic <base64 encoded username and password>
Content-Type: application/x-www-form-urlencoded
grant_type: client_credentials&scope=api
cache-control: no-cache

I have tried to configure this in the sub channel of the rest driver

<subscriber-options>
<subAuthMethod display-name="Authentication Method">OAuth</subAuthMethod>
<subAuthBasicID display-name="Authentication ID"></subAuthBasicID>
<subAuthBasicPwd display-name="Authentication Password" is-sensitive="true" type="password-ref"><!-- content suppressed --></subAuthBasicPwd>
<bearerToken display-name="Bearer Token">hide</bearerToken>
<bearerTokenID display-name="Bearer Token ID"></bearerTokenID>
<subOAuthURL display-name="Access Token URL">https://accounts.acceptance.dex.adp.com</subOAuthURL>
<subOAuthID display-name="User Name">base64encode username</subOAuthID>
<subOAuthPwd display-name="User Password" is-sensitive="true" type="password-ref"><!-- content suppressed --></subOAuthPwd>
<query-name display-name="Query Name">grant_type</query-name>
<query-value display-name="Query Value">client_credentials&scope=api</query-value>
<query-name display-name="Query Name">Content-Type</query-name>
<query-value display-name="Query Value">application/x-www-form-urlencoded</query-value>
<subTrustStoreFile display-name="Truststore file"></subTrustStoreFile>
<mutualFields display-name="Set mutual authentication parameters">show</mutualFields>
<subKeystoreFile display-name="Keystore file">/opt/novell/adpkey.jks</subKeystoreFile>
<subKeystorePassword display-name="Keystore password" is-sensitive="true" type="password-ref"><!-- content suppressed --></subKeystorePassword>
<connTimeOut display-name="Http Connection Timeout">1</connTimeOut>
<proxy display-name="Proxy host and port"></proxy>
<proxyFields display-name="Set proxy authentication parameters">hide</proxyFields>
<proxyUserName display-name="User name"></proxyUserName>
<proxyPassword display-name="Password" is-sensitive="true" type="password-ref"/>
<subHttpErrorsToRetry display-name="HTTP errors to retry">307 408 503 504</subHttpErrorsToRetry>
<subHttpRESTBASEURL display-name="Base URL for REST Resources">https://api.acceptance.dex.adp.com</subHttpRESTBASEURL>
<resrc-schemaName display-name="Schema name">Worker</resrc-schemaName>
<resrc-operationMode display-name="Configure Handlers">CUSTOM</resrc-operationMode>
<resrc-handlerConf display-name="Rest Handler Details">/hr/v2/workers#2#0#</resrc-handlerConf>
</subscriber-options>

There is now way to see in the trace how the header is formed. And the ducumentation is also very bad. Any help would be very appriciated!!

Regards
Georg
Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
6 Replies
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2019-01-25 12:16

On 1/22/2019 2:14 AM, ggrabner wrote:
>
> Hi all,
>
> I am struggling with the REST driver (1.0.2.0) . For a client in need to
> connect to an application which uses generate authentication token. In
> short, i need to authenticate to a authentication URL first using
> username and password, get the token and then use the token for the
> session.
>
> I managed to get the token using postmen. This is the request i used
>
> POST /auth/oauth/v2/token HTTP/1.1
> Host: accounts.acceptance.dex.adp.com
> Authorization: Basic <base64 encoded username and password>
> Content-Type: application/x-www-form-urlencoded
> grant_type: client_credentials&scope=api
> cache-control: no-cache
>
> I have tried to configure this in the sub channel of the rest driver
>
> <subscriber-options>
> <subAuthMethod display-name="Authentication
> Method">OAuth</subAuthMethod>
> <subAuthBasicID display-name="Authentication
> ID"></subAuthBasicID>
> <subAuthBasicPwd display-name="Authentication Password"
> is-sensitive="true" type="password-ref"><!-- content suppressed
> --></subAuthBasicPwd>
> <bearerToken display-name="Bearer Token">hide</bearerToken>
> <bearerTokenID display-name="Bearer Token ID"></bearerTokenID>
> <subOAuthURL display-name="Access Token
> URL">https://accounts.acceptance.dex.adp.com</subOAuthURL>
> <subOAuthID display-name="User Name">base64encode
> username</subOAuthID>
> <subOAuthPwd display-name="User Password" is-sensitive="true"
> type="password-ref"><!-- content suppressed --></subOAuthPwd>
> <query-name display-name="Query Name">grant_type</query-name>
> <query-value display-name="Query
> Value">client_credentials&scope=api</query-value>
> <query-name display-name="Query Name">Content-Type</query-name>
> <query-value display-name="Query
> Value">application/x-www-form-urlencoded</query-value>
> <subTrustStoreFile display-name="Truststore
> file"></subTrustStoreFile>
> <mutualFields display-name="Set mutual authentication
> parameters">show</mutualFields>
> <subKeystoreFile display-name="Keystore
> file">/opt/novell/adpkey.jks</subKeystoreFile>
> <subKeystorePassword display-name="Keystore password"
> is-sensitive="true" type="password-ref"><!-- content suppressed
> --></subKeystorePassword>
> <connTimeOut display-name="Http Connection
> Timeout">1</connTimeOut>
> <proxy display-name="Proxy host and port"></proxy>
> <proxyFields display-name="Set proxy authentication
> parameters">hide</proxyFields>
> <proxyUserName display-name="User name"></proxyUserName>
> <proxyPassword display-name="Password" is-sensitive="true"
> type="password-ref"/>
> <subHttpErrorsToRetry display-name="HTTP errors to retry">307
> 408 503 504</subHttpErrorsToRetry>
> <subHttpRESTBASEURL display-name="Base URL for REST
> Resources">https://api.acceptance.dex.adp.com</subHttpRESTBASEURL>
> <resrc-schemaName display-name="Schema
> name">Worker</resrc-schemaName>
> <resrc-operationMode display-name="Configure
> Handlers">CUSTOM</resrc-operationMode>
> <resrc-handlerConf display-name="Rest Handler
> Details">/hr/v2/workers#2#0#</resrc-handlerConf>
> </subscriber-options>
>
> There is now way to see in the trace how the header is formed. And the
> ducumentation is also very bad. Any help would be very appriciated!!

So first off, you need a header that customizes on the fly, I.e. Not a
single static value.

I would key off a heartbeat, Pub-etp if op = status, if XPATH
@level=heartbeat then check if my token is good. If not, go get another
one and store it in a driver scoped variable. However you do it in the
driver. Query mapped to get the token endpoint?

That is problem #1.

Then add a <driver-operation-data> node to your event, as a sibling to
your <modify> or <add> event.

Append XML element target .. and element of driver-operation-data

Then append XML element target of ../driver-operation-data and name of
header

Then set XML attribute of NAMEofHEADER and its value from your Pub
channel where you set it into a variable.



0 Likes
Reply
Report Inappropriate Content
ggrabner
Absent Member.
Absent Member.
‎2019-01-25 15:34

geoffc;2494315 wrote:
On 1/22/2019 2:14 AM, ggrabner wrote:
>
> Hi all,
>
> I am struggling with the REST driver (1.0.2.0) . For a client in need to
> connect to an application which uses generate authentication token. In
> short, i need to authenticate to a authentication URL first using
> username and password, get the token and then use the token for the
> session.
>
> I managed to get the token using postmen. This is the request i used
>
> POST /auth/oauth/v2/token HTTP/1.1
> Host: accounts.acceptance.dex.adp.com
> Authorization: Basic <base64 encoded username and password>
> Content-Type: application/x-www-form-urlencoded
> grant_type: client_credentials&scope=api
> cache-control: no-cache
>
> I have tried to configure this in the sub channel of the rest driver
>
> <subscriber-options>
> <subAuthMethod display-name="Authentication
> Method">OAuth</subAuthMethod>
> <subAuthBasicID display-name="Authentication
> ID"></subAuthBasicID>
> <subAuthBasicPwd display-name="Authentication Password"
> is-sensitive="true" type="password-ref"><!-- content suppressed
> --></subAuthBasicPwd>
> <bearerToken display-name="Bearer Token">hide</bearerToken>
> <bearerTokenID display-name="Bearer Token ID"></bearerTokenID>
> <subOAuthURL display-name="Access Token
> URL">https://accounts.acceptance.dex.adp.com</subOAuthURL>
> <subOAuthID display-name="User Name">base64encode
> username</subOAuthID>
> <subOAuthPwd display-name="User Password" is-sensitive="true"
> type="password-ref"><!-- content suppressed --></subOAuthPwd>
> <query-name display-name="Query Name">grant_type</query-name>
> <query-value display-name="Query
> Value">client_credentials&scope=api</query-value>
> <query-name display-name="Query Name">Content-Type</query-name>
> <query-value display-name="Query
> Value">application/x-www-form-urlencoded</query-value>
> <subTrustStoreFile display-name="Truststore
> file"></subTrustStoreFile>
> <mutualFields display-name="Set mutual authentication
> parameters">show</mutualFields>
> <subKeystoreFile display-name="Keystore
> file">/opt/novell/adpkey.jks</subKeystoreFile>
> <subKeystorePassword display-name="Keystore password"
> is-sensitive="true" type="password-ref"><!-- content suppressed
> --></subKeystorePassword>
> <connTimeOut display-name="Http Connection
> Timeout">1</connTimeOut>
> <proxy display-name="Proxy host and port"></proxy>
> <proxyFields display-name="Set proxy authentication
> parameters">hide</proxyFields>
> <proxyUserName display-name="User name"></proxyUserName>
> <proxyPassword display-name="Password" is-sensitive="true"
> type="password-ref"/>
> <subHttpErrorsToRetry display-name="HTTP errors to retry">307
> 408 503 504</subHttpErrorsToRetry>
> <subHttpRESTBASEURL display-name="Base URL for REST
> Resources">https://api.acceptance.dex.adp.com</subHttpRESTBASEURL>
> <resrc-schemaName display-name="Schema
> name">Worker</resrc-schemaName>
> <resrc-operationMode display-name="Configure
> Handlers">CUSTOM</resrc-operationMode>
> <resrc-handlerConf display-name="Rest Handler
> Details">/hr/v2/workers#2#0#</resrc-handlerConf>
> </subscriber-options>
>
> There is now way to see in the trace how the header is formed. And the
> ducumentation is also very bad. Any help would be very appriciated!!

So first off, you need a header that customizes on the fly, I.e. Not a
single static value.

I would key off a heartbeat, Pub-etp if op = status, if XPATH
@level=heartbeat then check if my token is good. If not, go get another
one and store it in a driver scoped variable. However you do it in the
driver. Query mapped to get the token endpoint?

That is problem #1.

Then add a <driver-operation-data> node to your event, as a sibling to
your <modify> or <add> event.

Append XML element target .. and element of driver-operation-data

Then append XML element target of ../driver-operation-data and name of
header

Then set XML attribute of NAMEofHEADER and its value from your Pub
channel where you set it into a variable.




Hey Geoff, May thanks for your reply(Have your coolsolutions are great!!).

I understand that i need a dynamic header. But i can not get true the first step, that is getting the token.
I need to authenticatie to a authenitcation url with a user name and password encoded in base64. Like shown below

POST /auth/oauth/v2/token HTTP/1.1
Host: accounts.acceptance.dex.adp.com
Authorization: Basic REVYTkwwMDMwmdzNfczM=
Content-Type: application/x-www-form-urlencoded
grant_type: client_credentials&scope=api
cache-control: no-cache

So the authenication is params are stored in Authorization: Basic REVYTkwwMDMwmdzNfczM= .
I configuerd this in the driver params in the Subscriber option ( Oauth 2.0 - Generate)

But i get an error. And i cannot see the request the driver sends in the trace

Kind Regards
Georg
0 Likes
Reply
Report Inappropriate Content
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2019-01-25 16:00


>> So first off, you need a header that customizes on the fly, I.e. Not a
>> single static value.
>>
>> I would key off a heartbeat, Pub-etp if op = status, if XPATH
>> @level=heartbeat then check if my token is good. If not, go get another
>> one and store it in a driver scoped variable. However you do it in the
>> driver. Query mapped to get the token endpoint?
>>
>> That is problem #1.
>>
>> Then add a <driver-operation-data> node to your event, as a sibling to
>> your <modify> or <add> event.
>>
>> Append XML element target .. and element of driver-operation-data
>>
>> Then append XML element target of ../driver-operation-data and name of
>> header
>>
>> Then set XML attribute of NAMEofHEADER and its value from your Pub
>> channel where you set it into a variable.
>
>
>
> Hey Geoff, May thanks for your reply(Have your coolsolutions are
> great!!).
>
> I understand that i need a dynamic header. But i can not get true the
> first step, that is getting the token.
> I need to authenticatie to a authenitcation url with a user name and
> password encoded in base64. Like shown below
>
> POST /auth/oauth/v2/token HTTP/1.1
> Host: accounts.acceptance.dex.adp.com
> Authorization: Basic REVYTkwwMDMwmdzNfczM=
> Content-Type: application/x-www-form-urlencoded
> grant_type: client_credentials&scope=api
> cache-control: no-cache
>
> So the authenication is params are stored in Authorization: Basic
> REVYTkwwMDMwmdzNfczM= .
> I configuerd this in the driver params in the Subscriber option ( Oauth
> 2.0 - Generate)

Ok, so if you are not using the Shim's built in auth method, which
soudns like it ought to work, then don't fill that info in. INstead add
it in the op data or driver-op-data to set the specifics ou need. You
can build the Auth header the way I suggested just above.

0 Likes
Reply
Report Inappropriate Content
ukrause
Commodore
Commodore
‎2019-01-31 16:34

set all the needed props as operation data. Supported are method (=POST), URL (should be the full URL https://accounts.acceptance.dex.adp.com/auth/oauth/v2/token), and rest-action (should be the action -or Rest function) to get the token. Authorization params are used from the driver configuration

Hope that helps
0 Likes
Reply
Report Inappropriate Content
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2019-01-25 12:18

On 1/22/2019 2:14 AM, ggrabner wrote:
>
> Hi all,
>
> I am struggling with the REST driver (1.0.2.0) . For a client in need to
> connect to an application which uses generate authentication token. In
> short, i need to authenticate to a authentication URL first using
> username and password, get the token and then use the token for the
> session.
>
> I managed to get the token using postmen. This is the request i used
>
> POST /auth/oauth/v2/token HTTP/1.1
> Host: accounts.acceptance.dex.adp.com
> Authorization: Basic <base64 encoded username and password>
> Content-Type: application/x-www-form-urlencoded
> grant_type: client_credentials&scope=api
> cache-control: no-cache
>
> I have tried to configure this in the sub channel of the rest driver
>
> <subscriber-options>
> <subAuthMethod display-name="Authentication
> Method">OAuth</subAuthMethod>
> <subAuthBasicID display-name="Authentication
> ID"></subAuthBasicID>
> <subAuthBasicPwd display-name="Authentication Password"
> is-sensitive="true" type="password-ref"><!-- content suppressed
> --></subAuthBasicPwd>
> <bearerToken display-name="Bearer Token">hide</bearerToken>
> <bearerTokenID display-name="Bearer Token ID"></bearerTokenID>
> <subOAuthURL display-name="Access Token
> URL">https://accounts.acceptance.dex.adp.com</subOAuthURL>
> <subOAuthID display-name="User Name">base64encode
> username</subOAuthID>
> <subOAuthPwd display-name="User Password" is-sensitive="true"
> type="password-ref"><!-- content suppressed --></subOAuthPwd>
> <query-name display-name="Query Name">grant_type</query-name>
> <query-value display-name="Query
> Value">client_credentials&scope=api</query-value>
> <query-name display-name="Query Name">Content-Type</query-name>
> <query-value display-name="Query
> Value">application/x-www-form-urlencoded</query-value>
> <subTrustStoreFile display-name="Truststore
> file"></subTrustStoreFile>
> <mutualFields display-name="Set mutual authentication
> parameters">show</mutualFields>
> <subKeystoreFile display-name="Keystore
> file">/opt/novell/adpkey.jks</subKeystoreFile>
> <subKeystorePassword display-name="Keystore password"
> is-sensitive="true" type="password-ref"><!-- content suppressed
> --></subKeystorePassword>
> <connTimeOut display-name="Http Connection
> Timeout">1</connTimeOut>
> <proxy display-name="Proxy host and port"></proxy>
> <proxyFields display-name="Set proxy authentication
> parameters">hide</proxyFields>
> <proxyUserName display-name="User name"></proxyUserName>
> <proxyPassword display-name="Password" is-sensitive="true"
> type="password-ref"/>
> <subHttpErrorsToRetry display-name="HTTP errors to retry">307
> 408 503 504</subHttpErrorsToRetry>
> <subHttpRESTBASEURL display-name="Base URL for REST
> Resources">https://api.acceptance.dex.adp.com</subHttpRESTBASEURL>
> <resrc-schemaName display-name="Schema
> name">Worker</resrc-schemaName>
> <resrc-operationMode display-name="Configure
> Handlers">CUSTOM</resrc-operationMode>
> <resrc-handlerConf display-name="Rest Handler
> Details">/hr/v2/workers#2#0#</resrc-handlerConf>
> </subscriber-options>
>
> There is now way to see in the trace how the header is formed. And the
> ducumentation is also very bad. Any help would be very appriciated!!

Oops, docs on driver-op-data are here:

https://www.netiq.com/documentation/identity-manager-47-drivers/generic_rest/data/driver-concepts.html#bvp9xer


0 Likes
Reply
Report Inappropriate Content
klasen
Micro Focus Expert
Micro Focus Expert
‎2019-01-31 17:37

On 2019-01-22 08:14, ggrabner wrote:
> <subOAuthID display-name="User Name">base64encode
> username</subOAuthID>

Shouldn't this be your plain text username?

> And i cannot see the request the driver sends in he the trace

Which trace level did you use?

You could also try enabling debugging at the Java layer:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html

--
Norbert
--
Norbert
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.