Hi,
comments below,
On 23/09/13 14:11, Messina Andrea wrote:
Hi.
I found an error in the OAuthClientUtils class that prevents(throwing a
*server_error* exception) to receive the access token which was
correctly delivered from an OAuth2 server
(https://login.salesforce.com/services/oauth2/token).
Against of the invocation of the statement:
*ClientAccessToken accessToken = OAuthClientUtils.getAccessToken(client,
consumer, new ResourceOwnerGrant(USER_ID, USER_SECRET), false);*
The server returns the following json response-->
{
"access_token":
"00Db0000000aMXb!AREAQB.vuPKijsXNJC.6IXiasoidsaiosadjpa8LLIuyuwX8Y0ZZ7Q2c9jwZw8WPMkNPpS4R31egB2W0asoijdoiasdzG7XKMxdluMKS",
"id":
"https://login.salesforce.com/id/00Db0000000aMXbEAM/005b0000000JfBnAAK";,
"instance_url": "https://eu2.salesforce.com";,
"issued_at": "1379940791153",
"signature":
"pXd1DyE9zxSfaslkjsadoisadjiROlaoKKItwyOFkB7BP6mXu042Ec2y9M="
}
Debugging the */map/* variable inside OAuthClientUtils:: getAccessToken
method, it assumes the following value:
·id="https
·issued_at=1379940055511
·instance_url="https
·signature=9nsanKYsYq15ci049snAXV09UgqNKfZs+2TjFhrwgUw=,
·access_token=00Db0000000aMXb!AREAQB.vuPKijsXNJC.6IXiasoidsaiosadjpa8LLIuyuwX8Y0ZZ7Q2c9jwZw8WPMkNPpS4R31egB2W0asoijdoiasdzG7XKMxdluMKS
First of all, looking at the key-value pairs, turns out some
parsification problems for URL-like values (id & istance_url)
Definitely, currently the parsing is done manually, so ":" in the id &
instance_url values is mis-treated as a JSON key separator, I'll fix it
Going ahead in the code execution, I notice that the call to
“/fromMapToClientToken/(map)” returns NULL, because the following condition:
*if*(map.containsKey(*OAuthConstants*./ACCESS_TOKEN/)
&& map.containsKey(*OAuthConstants*./ACCESS_TOKEN_TYPE/)){…}
is evaluated to FALSE;
*OAuthConstants*./ACCESS_TOKEN //à////access_token ; PRESENT in the
response///
*OAuthConstants*./ACCESS_TOKEN_TYPE //à////token_type; NOT PRESENT in
the response/
//
//
*I think that this condition statement should be revised to correctly
put through the OAuth dance.*
Well, token_type is a required parameter per
http://tools.ietf.org/html/rfc6749#section-5.1
I saw the same in my demo I did around Salesforce OAuth2 code flow demo,
but I was able to bypass the issue because in our case no oAuth2 centric
client code was used so no requirement for the token_type was enforced.
Hmm... May be I can relax it a bit, ultimately, it is up to the client
code on what to default to if no token_type is present, example, default
to 'Bearer' in case of well-known services like Salesforce or refuse to
continue...
Sergey
**
Thanks,
Andrea Messina
Andrea Messina
Blue Reply
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
[email protected]
www.reply.it
Blue Reply
-----Original Message-----
From: Sergey Beryozkin [mailto:[email protected]]
Sent: venerdì 13 settembre 2013 14:24
To: Messina Andrea
Cc: [email protected]
Subject: Re: OAuth2 username-password flow with Apache CXF
Should be
OAuthClientUtils.getAccessToken(webClient, consumer, new
ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"), false);
where 'false' means no Authorization header is created Sergey On
13/09/13 13:22, Sergey Beryozkin wrote:
> Hi,
>
> OAuthClientUtils has this method,
>
> public static ClientAccessToken getAccessToken(WebClient
> accessTokenService,
> Consumer consumer,
> AccessTokenGrant
grant,
> boolean
> setAuthorizationHeader)
>
> So, for example,
>
> OAuthClientUtils.getAccessToken(webClient, consumer, new
> ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"));
>
> will do it, where 'consumer' represents Consumer initialized with a
> client id & secret
>
> Cheers, Sergey
>
> On 13/09/13 13:12, Messina Andrea wrote:
>> Hi Sergey.
>>
>> Thanks for reply.
>>
>> Unfortunately I am unable to construct a working cxf-tree-objects to
>> perform a call for the 2-legged OAuth protocol.
>>
>> The classes I have located are:
>>
>> ·*WebClient*
>>
>> ·*OauthClientUtils*
>>
>> ·*AccessTokenService*
>>
>> ·*AccessTokenGrant*
>>
>> ·*Consumer*
>>
>> ·*ResourceOwnerGrantHandler*
>>
>> ·*ResourceOwnerLoginHandler***
>>
>> Could you sent an example implementation that would be able to invoke
>> a login endpoint supplying the following text in the body part of the
>> HTTP POST request ?
>>
>> (PASSWORD GRANT so no user-direct authorization is required)
>>
>> *grant_type=password&client_id=*XXX*&client_secret=*YYY*&username=*ZZ
>> Z*&password=*KKK
>>
>>
>> This could be also helpful for many people looking for it
>>
(http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)!
>>
>> Thanks,
>>
>> Andrea
>>
>>
>>
>> Andrea Messina
>>
>> Blue Reply
>> Via Cardinal Massaia, 83
>> 10147 - Torino - ITALY
>> phone: +39 011 29100
>> [email protected] <mailto:[email protected]>
>> www.reply.it <http://www.reply.it>
>>
>> Blue Reply
>>
>> -----Original Message-----
>> From: Sergey Beryozkin [mailto:[email protected]]
<mailto:[mailto:[email protected]]>
>> Sent: giovedì 12 settembre 2013 22:21
>> To: [email protected] <mailto:[email protected]>
>> Cc: Messina Andrea
>> Subject: Re: OAuth2 username-password flow with Apache CXF
>>
>> Hi
>>
>> Thanks for the query, forwarding to the users list, On 12/09/13
>> 18:37, Messina Andrea wrote:
>>
>> >
>>
>> > I'm looking for an example code written using Apache CXF WebClient
>> API and requesting an access token using the "Password Access grant
>> Type".
>>
>> >
>>
>> > The
>>
documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials).
>>
>> is really very poor about this subject .
>>
>> >
>>
>> Right, looking at it now, agree a bit more info should go into it,
>> Basically, the idea you just register an access token grant handler
>> with AccessTokenService, the documentation focuses on the code flow
>> and AccessTokenService tries to default to the code grant handler if
>> no custom handlers have been registered, so I missed that no info is
>> there at all on how the custom handlers can be added, it is really
>> easy,
>>
>> AccessTokenService has
>>
>> public void setGrantHandlers(List<AccessTokenGrantHandler> handlers);
>> and public void setGrantHandler(AccessTokenGrantHandler handler);
>>
>> methods. so you set ResourceOwnerGrantHandler (not ClientCredentials
>> which you linked to)
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>> ResourceOwnerGrantHandler.java
>>
>>
>> Note AccessTokenService will authenticate the client itself (using
>> client_id and client_secret) and the handler will authenticate the
>> resource owner, using ResourceOwnerLoginHandler.
>>
>> Default ResourceOwnerLoginHandler implementation is JAAS based:
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>> JAASResourceOwnerLoginHandler.java
>>
>>
>> but you can implement your own logic.
>>
>> Hope it helps
>>
>> I'll work on improving the docs
>>
>> Sergey
>>
>> > The only input parameters are:
>>
>> >
>>
>> > 1) Login endpoint URI
>>
>> > 2) client_id and client_secret
>>
>> > 3) user_id and user_secret
>>
>> >
>>
>> > Thanks in advance, Andrea
>>
>> >
>>
>> >
>>
>> > Andrea Messina
>>
>> >
>>
>> > Blue Reply
>>
>> > Via Cardinal Massaia, 83
>>
>> > 10147 - Torino - ITALY
>>
>> > phone: +39 011 29100
>>
>> > [email protected] <mailto:[email protected]>
<mailto:[email protected]>
>>
>> > www.reply.it <http://www.reply.it> <http://www.reply.it>
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> > ________________________________
>>
>> >
>>
>> > --
>>
>> > The information transmitted is intended for the person or entity
>> to which it is addressed and may contain confidential and/or
>> privileged material. Any review, retransmission, dissemination or
>> other use of, or taking of any action in reliance upon, this
>> information by persons or entities other than the intended recipient
>> is prohibited. If you received this in error, please contact the
>> sender and delete the material from any computer.
>>
>> >
>>
>> --
>>
>> Sergey Beryozkin
>>
>> Talend Community Coders
>>
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>> --
>> The information transmitted is intended for the person or entity to
>> which it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of,
>> or taking of any action in reliance upon, this information by persons
>> or entities other than the intended recipient is prohibited. If you
>> received this in error, please contact the sender and delete the
>> material from any computer.
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
------------------------------------------------------------------------
--
The information transmitted is intended for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the
material from any computer.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
