You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by rareddy <ra...@gmail.com> on 2014/12/05 04:27:32 UTC
OAuth 1.0 Client example
Hi,
I am trying to write a client application to do authentication with Twitter
using CXF. I have read through
http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-Client-sidesupport
and started with following code snippet.
WebClient client =
WebClient.create("https://api.twitter.com/oauth/request_token");
OAuthClientUtils.Consumer consumer = new
OAuthClientUtils.Consumer(consumerKey,consumerSecret);
OAuthClientUtils.Token requestToken =
OAuthClientUtils.getRequestToken(client, consumer, new URI("oob"), null);
System.out.println("Request Token" + requestToken.getToken());
How this is ending up in "No message body reader has been found for class :
class org.apache.cxf.jaxrs.ext.form.Form, ContentType :
text/html;charset=utf-8."
Can some please guide me how I can overcome this issue? Or is there any
example you can point me to?
Thanks
Ramesh..
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi, I've never used this API.
If you need to get at a filter level then indeed you can write a
portable JAX-RS ContainerRequestFilter that will extract this SAML response.
Sergey
On 05/01/15 21:00, rareddy wrote:
> Thanks Sergey.
>
> Colleague of mine suggesting to use JEE's JACC API to reach the HTTPRequest
> in JEE container, where I would have access to SAML Response Token without
> any framework specific implementation specifics. I have not written anything
> yet, but wanted to take your opinion on the subject.
>
> Ramesh..
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752809.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: OAuth 1.0 Client example
Posted by rareddy <ra...@gmail.com>.
Thanks Sergey.
Colleague of mine suggesting to use JEE's JACC API to reach the HTTPRequest
in JEE container, where I would have access to SAML Response Token without
any framework specific implementation specifics. I have not written anything
yet, but wanted to take your opinion on the subject.
Ramesh..
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752809.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 20/12/14 15:50, rareddy wrote:
> Pardon me one silly question, should I call the
> "PhaseInterceptorChain.getCurrentMessage()" in SP implementation somewhere
> or I can write a interceptor or filter?
You will need to do it in the implementation, the current message will
be different when SP will makes the outbound call in the context of the
current invocation.
Unless the whole process needs to complete before the call reaches the
SP implementation, in which case the filter will do
Sergey
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752607.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 Client example
Posted by rareddy <ra...@gmail.com>.
Pardon me one silly question, should I call the
"PhaseInterceptorChain.getCurrentMessage()" in SP implementation somewhere
or I can write a interceptor or filter?
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752607.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 19/12/14 20:19, rareddy wrote:
> Sergey,
>
> What do you suggest, where I can hijack the SAML Assertion document from? My
> usecase does not involve creating a new document. By extending one the
> binding filters or racs class? Or CXF inserts into Subject somewhere?
>
> my usecase like
>
> client --> my SP --> another service (saml bearer)
> |
> SalesForce as IDP
>
I can imagine the following, assuming the client is a human user (though
I guess the same can be emulated with the code client):
- the client GETs on SP which redirects it to Salesforce, the client is
authenticated, redirected back to invoking on SP, CXF would create a
SAMLSecurityContext which would have a SAML assertion wrapped in it,
this is a CXF specific SecurityContext that can be accessed via the
current CXF message (PhaseInterceptorChain.getCurrentMessage()) and then
this SAML assertion can be forwarded further.
Do you think it can work for you ?
> the handover seems highly dependent on the security implementation
> frameworks -:(
I agree.
Cheers, Sergey
>
> Thanks.
>
> Ramesh..
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752595.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: OAuth 1.0 Client example
Posted by rareddy <ra...@gmail.com>.
Sergey,
What do you suggest, where I can hijack the SAML Assertion document from? My
usecase does not involve creating a new document. By extending one the
binding filters or racs class? Or CXF inserts into Subject somewhere?
my usecase like
client --> my SP --> another service (saml bearer)
|
SalesForce as IDP
the handover seems highly dependent on the security implementation
frameworks -:(
Thanks.
Ramesh..
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752595.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 18/12/14 16:06, rareddy wrote:
> Sergey,
>
>> I think I may have fixed OAuthJSONProvider recently, see last 2 commits,
>
> Can you tell me which version of CXF this will be part of, I will make a
> note to remove my duplicate copies when that version is available.
>
I think it should be in CXF 2.7.14 (already released)
>> might also want to have a look at using JWT Bearer assertions, Salesforce
> would probably support both. I have a lot of
>> documentation for showing how to work with the CXF based JWT bearer and
> Jose code though
>
> SAML and JWT using Salesforce as the source was my plan indeed. Can you
> please share the links for your docs. That will be great!
>
Sorry, I actually meant to say a "a lot of documentation to do" :-).
SAML info is here:
http://cxf.apache.org/docs/jaxrs-oauth2-assertions.html#JAXRSOAuth2Assertions-SAML2Bearer
Cheers, Sergey
> Thanks.
>
> Ramesh..
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752517.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 Client example
Posted by rareddy <ra...@gmail.com>.
Sergey,
>I think I may have fixed OAuthJSONProvider recently, see last 2 commits,
Can you tell me which version of CXF this will be part of, I will make a
note to remove my duplicate copies when that version is available.
>might also want to have a look at using JWT Bearer assertions, Salesforce
would probably support both. I have a lot of
>documentation for showing how to work with the CXF based JWT bearer and
Jose code though
SAML and JWT using Salesforce as the source was my plan indeed. Can you
please share the links for your docs. That will be great!
Thanks.
Ramesh..
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752517.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
I added the initial code for the OIDC client demo, the conde is not
mature, but will be tuned gradually, adding it just for those who are
interested to have a look
Sergey
On 18/12/14 10:35, Sergey Beryozkin wrote:
> Hi
> On 17/12/14 22:18, rareddy wrote:
>> Sergey,
>>
>> Thank you very much. Following your comments, I wrote two example client
>> utilities using CXF to show case
>>
>> 1) OAuth 1.0A with Twitter
>> 2) OAuth 2.0 with Google
>>
>> They both are here at
>> urn:ietf:wg:oauth:2.0:oob
>> for anybody else for reference.
>>
>> With OAuth 2.0 with Google, I found another bug (well the bug is in
>> Google
>> response) in "OAuthJSONProvider", where "expires in" json value had
>> space in
>> it, so the conversion to the Integer was failing because it was seeing "
>> 3600" instead of "3600", I put in a trim() in my example, but I am hoping
>> you can fix in the CXF code base too.
>>
>
> Thanks for sharing the code example.
> I think I may have fixed OAuthJSONProvider recently, see last 2 commits,
>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=history;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java;h=fba68a9a68ff8c11e47c6c245038af1847544560;hb=HEAD
>
>
> In fact I did while working on the initial OIDC Google+ client demo
> (haven't committed it yet though)
>
>> Thanks again. Next step to provide example for "SAML Bearer"
>
> Please experiment; might also want to have a look at using JWT Bearer
> assertions, Salesforce would probably support both. I have a lot of
> documentation for showing how to work with the CXF based JWT bearer and
> Jose code though
>
> Cheers, Sergey
>>
>> Ramesh..
>>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752489.html
>>
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 17/12/14 22:18, rareddy wrote:
> Sergey,
>
> Thank you very much. Following your comments, I wrote two example client
> utilities using CXF to show case
>
> 1) OAuth 1.0A with Twitter
> 2) OAuth 2.0 with Google
>
> They both are here at
> urn:ietf:wg:oauth:2.0:oob
> for anybody else for reference.
>
> With OAuth 2.0 with Google, I found another bug (well the bug is in Google
> response) in "OAuthJSONProvider", where "expires in" json value had space in
> it, so the conversion to the Integer was failing because it was seeing "
> 3600" instead of "3600", I put in a trim() in my example, but I am hoping
> you can fix in the CXF code base too.
>
Thanks for sharing the code example.
I think I may have fixed OAuthJSONProvider recently, see last 2 commits,
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=history;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java;h=fba68a9a68ff8c11e47c6c245038af1847544560;hb=HEAD
In fact I did while working on the initial OIDC Google+ client demo
(haven't committed it yet though)
> Thanks again. Next step to provide example for "SAML Bearer"
Please experiment; might also want to have a look at using JWT Bearer
assertions, Salesforce would probably support both. I have a lot of
documentation for showing how to work with the CXF based JWT bearer and
Jose code though
Cheers, Sergey
>
> Ramesh..
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752489.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: OAuth 1.0 Client example
Posted by rareddy <ra...@gmail.com>.
Sergey,
Thank you very much. Following your comments, I wrote two example client
utilities using CXF to show case
1) OAuth 1.0A with Twitter
2) OAuth 2.0 with Google
They both are here at
https://github.com/rareddy/ws-security-examples/tree/master/oauth-client-examples
for anybody else for reference.
With OAuth 2.0 with Google, I found another bug (well the bug is in Google
response) in "OAuthJSONProvider", where "expires in" json value had space in
it, so the conversion to the Integer was failing because it was seeing "
3600" instead of "3600", I put in a trim() in my example, but I am hoping
you can fix in the CXF code base too.
Thanks again. Next step to provide example for "SAML Bearer"
Ramesh..
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5752489.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
I've updated a form provider to get configured with custom media types,
so in CXF 3.0.4 you'd just create WebClient with a FormEncodingProvider
instance whose consumeMediaTypes property is set to "text/html".
You can have a custom provider extending a CXF provider with a text/html
Consumes property right now as a workaround; also makes sense to report
an issue to the Twitter dev
Sergey
On 05/12/14 16:52, Sergey Beryozkin wrote:
> It is an obvious Twitter endpoint bug - it actually returns a form
> payload but sets a wrong content type.
>
> I'll update OAuth1 OAuthClientUtils a bit to simplify dealing with such
> cases
>
> Sergey
>
> On 05/12/14 14:40, rareddy wrote:
>> I see the content type as text/html, but it is not an exception.
>>
>> INFO: Outbound Message
>> ---------------------------
>> ID: 1
>> Address: https://api.twitter.com/oauth/request_token
>> Http-Method: POST
>> Content-Type: */*
>> Headers: {Accept=[application/x-www-form-urlencoded],
>> Authorization=[OAuth
>> oauth_callback="oob", oauth_nonce="9c170661-4ac3-4a43-85e2-e2a2a6524767",
>> oauth_consumer_key="xxxxxx", oauth_signature_method="HMAC-SHA1",
>> oauth_timestamp="1417790060", oauth_version="1.0",
>> oauth_signature="YB6liGypdkdIAN2KzkOzgOFfB64%3D"], Content-Type=[*/*]}
>> --------------------------------------
>> Dec 05, 2014 8:34:21 AM org.apache.cxf.interceptor.LoggingInInterceptor
>> INFO: Inbound Message
>> ----------------------------
>> ID: 1
>> Response-Code: 200
>> Encoding: UTF-8
>> Content-Type: text/html; charset=utf-8
>> Headers: {cache-control=[no-cache, no-store, must-revalidate,
>> pre-check=0,
>> post-check=0], Content-Length=[126], content-security-policy=[default-src
>> https:; connect-src https:; font-src https: data:; frame-src https:;
>> img-src
>> https: data:; media-src https:; object-src https:; script-src
>> 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:;
>> report-uri https://twitter.com/i/csp_report?a=xxxxxxx&ro=false;],
>> content-type=[text/html; charset=utf-8], date=[Fri, 05 Dec 2014 14:34:21
>> UTC], etag=["xxxxxx"], expires=[Tue, 31 Mar 1981 05:00:00 GMT],
>> last-modified=[Fri, 05 Dec 2014 14:34:21 GMT], pragma=[no-cache],
>> server=[tsa_b], set-cookie=[guest_id=xxxxxx Domain=.twitter.com; Path=/;
>> Expires=Sun, 04-Dec-2016 14:34:21 UTC, _twitter_sess=xxxxxxxxx;
>> domain=.twitter.com; path=/; secure; HttpOnly], status=[200 OK],
>> strict-transport-security=[max-age=631138519], vary=[Accept-Encoding],
>> x-connection-hash=[xxxxxx], x-content-type-options=[nosniff],
>> x-frame-options=[SAMEORIGIN], x-mid=[xxxxxx], x-response-time=[100],
>> x-runtime=[0.02123], x-transaction=[fc20d4220ea178e6],
>> x-ua-compatible=[IE=edge,chrome=1], x-xss-protection=[1; mode=block]}
>> Payload:
>> oauth_token=xxxxx&oauth_token_secret=xxxxxxxx&oauth_callback_confirmed=true
>>
>> --------------------------------------
>>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5751990.html
>>
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
It is an obvious Twitter endpoint bug - it actually returns a form
payload but sets a wrong content type.
I'll update OAuth1 OAuthClientUtils a bit to simplify dealing with such
cases
Sergey
On 05/12/14 14:40, rareddy wrote:
> I see the content type as text/html, but it is not an exception.
>
> INFO: Outbound Message
> ---------------------------
> ID: 1
> Address: https://api.twitter.com/oauth/request_token
> Http-Method: POST
> Content-Type: */*
> Headers: {Accept=[application/x-www-form-urlencoded], Authorization=[OAuth
> oauth_callback="oob", oauth_nonce="9c170661-4ac3-4a43-85e2-e2a2a6524767",
> oauth_consumer_key="xxxxxx", oauth_signature_method="HMAC-SHA1",
> oauth_timestamp="1417790060", oauth_version="1.0",
> oauth_signature="YB6liGypdkdIAN2KzkOzgOFfB64%3D"], Content-Type=[*/*]}
> --------------------------------------
> Dec 05, 2014 8:34:21 AM org.apache.cxf.interceptor.LoggingInInterceptor
> INFO: Inbound Message
> ----------------------------
> ID: 1
> Response-Code: 200
> Encoding: UTF-8
> Content-Type: text/html; charset=utf-8
> Headers: {cache-control=[no-cache, no-store, must-revalidate, pre-check=0,
> post-check=0], Content-Length=[126], content-security-policy=[default-src
> https:; connect-src https:; font-src https: data:; frame-src https:; img-src
> https: data:; media-src https:; object-src https:; script-src
> 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:;
> report-uri https://twitter.com/i/csp_report?a=xxxxxxx&ro=false;],
> content-type=[text/html; charset=utf-8], date=[Fri, 05 Dec 2014 14:34:21
> UTC], etag=["xxxxxx"], expires=[Tue, 31 Mar 1981 05:00:00 GMT],
> last-modified=[Fri, 05 Dec 2014 14:34:21 GMT], pragma=[no-cache],
> server=[tsa_b], set-cookie=[guest_id=xxxxxx Domain=.twitter.com; Path=/;
> Expires=Sun, 04-Dec-2016 14:34:21 UTC, _twitter_sess=xxxxxxxxx;
> domain=.twitter.com; path=/; secure; HttpOnly], status=[200 OK],
> strict-transport-security=[max-age=631138519], vary=[Accept-Encoding],
> x-connection-hash=[xxxxxx], x-content-type-options=[nosniff],
> x-frame-options=[SAMEORIGIN], x-mid=[xxxxxx], x-response-time=[100],
> x-runtime=[0.02123], x-transaction=[fc20d4220ea178e6],
> x-ua-compatible=[IE=edge,chrome=1], x-xss-protection=[1; mode=block]}
> Payload:
> oauth_token=xxxxx&oauth_token_secret=xxxxxxxx&oauth_callback_confirmed=true
> --------------------------------------
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5751990.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: OAuth 1.0 Client example
Posted by rareddy <ra...@gmail.com>.
I see the content type as text/html, but it is not an exception.
INFO: Outbound Message
---------------------------
ID: 1
Address: https://api.twitter.com/oauth/request_token
Http-Method: POST
Content-Type: */*
Headers: {Accept=[application/x-www-form-urlencoded], Authorization=[OAuth
oauth_callback="oob", oauth_nonce="9c170661-4ac3-4a43-85e2-e2a2a6524767",
oauth_consumer_key="xxxxxx", oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1417790060", oauth_version="1.0",
oauth_signature="YB6liGypdkdIAN2KzkOzgOFfB64%3D"], Content-Type=[*/*]}
--------------------------------------
Dec 05, 2014 8:34:21 AM org.apache.cxf.interceptor.LoggingInInterceptor
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: text/html; charset=utf-8
Headers: {cache-control=[no-cache, no-store, must-revalidate, pre-check=0,
post-check=0], Content-Length=[126], content-security-policy=[default-src
https:; connect-src https:; font-src https: data:; frame-src https:; img-src
https: data:; media-src https:; object-src https:; script-src
'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:;
report-uri https://twitter.com/i/csp_report?a=xxxxxxx&ro=false;],
content-type=[text/html; charset=utf-8], date=[Fri, 05 Dec 2014 14:34:21
UTC], etag=["xxxxxx"], expires=[Tue, 31 Mar 1981 05:00:00 GMT],
last-modified=[Fri, 05 Dec 2014 14:34:21 GMT], pragma=[no-cache],
server=[tsa_b], set-cookie=[guest_id=xxxxxx Domain=.twitter.com; Path=/;
Expires=Sun, 04-Dec-2016 14:34:21 UTC, _twitter_sess=xxxxxxxxx;
domain=.twitter.com; path=/; secure; HttpOnly], status=[200 OK],
strict-transport-security=[max-age=631138519], vary=[Accept-Encoding],
x-connection-hash=[xxxxxx], x-content-type-options=[nosniff],
x-frame-options=[SAMEORIGIN], x-mid=[xxxxxx], x-response-time=[100],
x-runtime=[0.02123], x-transaction=[fc20d4220ea178e6],
x-ua-compatible=[IE=edge,chrome=1], x-xss-protection=[1; mode=block]}
Payload:
oauth_token=xxxxx&oauth_token_secret=xxxxxxxx&oauth_callback_confirmed=true
--------------------------------------
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952p5751990.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 Client example
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
Most likely a text/html formatted error is returned
Can you add
WebClient.getConfig().getInInterceptors().add(new LoggingInInterceptors());
WebClient.getConfig().getOutInterceptors().add(new
LoggingOutInterceptors());
and see what is being sent and returned ?
Cheers, Sergey
On 05/12/14 03:27, rareddy wrote:
> Hi,
>
> I am trying to write a client application to do authentication with Twitter
> using CXF. I have read through
> http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-Client-sidesupport
> and started with following code snippet.
>
> WebClient client =
> WebClient.create("https://api.twitter.com/oauth/request_token");
> OAuthClientUtils.Consumer consumer = new
> OAuthClientUtils.Consumer(consumerKey,consumerSecret);
> OAuthClientUtils.Token requestToken =
> OAuthClientUtils.getRequestToken(client, consumer, new URI("oob"), null);
>
> System.out.println("Request Token" + requestToken.getToken());
>
> How this is ending up in "No message body reader has been found for class :
> class org.apache.cxf.jaxrs.ext.form.Form, ContentType :
> text/html;charset=utf-8."
>
> Can some please guide me how I can overcome this issue? Or is there any
> example you can point me to?
>
> Thanks
>
> Ramesh..
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-Client-example-tp5751952.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com