You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by mayankeagle <ma...@yahoo.com> on 2012/08/17 08:04:07 UTC
OAuth 1.0 in Apache CXF
Hi,
I'm trying to create an OAuth 1.0 server using CXF. I have written my own
custom OAuthDataProvider implementation, which maintains the client details
and token details in memory (hash-table). I also have another Javascript
client, which I am using to invoke the REST web-service that is protected
via the CXF OAuth filter.
However, even upon providing the correct consumer key and secret, I am
always getting a 401 Unauthorized on the client side. I know that the
signature is getting generated correctly because I use the same client to
invoke a JBoss RESTEasy OAuth server as well with minor changes in the
syntax.
Below is the Authorization header of the POST request which is sent from the
client for obtaining the request token (as per
http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-RequestTokenService):
OAuth
oauth_callback="oob",oauth_consumer_key="C1",oauth_signature_method="HMAC-SHA1",oauth_version="1.0",oauth_timestamp="1345183118",oauth_nonce="1TtaP6",oauth_signature="5Kpy%2FdJXAhFLFWbXXCI1NPGb2L0%3D"
Am I missing something here? Is it that these parameters have to be sent
without the quotes or differently?
Upon putting debug messages in my OAuthDataProvider, I can see that it is
finding the client as it enters the getClient () method which finds the
client in the hash-table, but after that the createRequestToken () method is
never called and a 401 is thrown.
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by mayankeagle <ma...@yahoo.com>.
To add, the AbstractAuthFilter on the server side is throwing a WARNING log
message that says "Invalid Client" although it is recognizing the client.
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712721.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 21/08/12 08:18, mayankeagle wrote:
> Ok, that was my mistake to pass the Authorization header, I was just calling
> the same function on the client side and only changing the method from POST
> to GET.
>
> Without the Authorization header, I'm just sending a GET call to
> "http://ProjectName/services/authorize?oauth_token=xyz" and now I'm getting
> a "WARNING: Client is invalid" error on the server logs. I think this is
> because the oauth_consumer is not specified in the URL/ header. Am I missing
> something here?
>
In this case oauth_token is pointing to RequestToken, so make sure the
data provider sets Client field on it, when RequestToken is issued to
the client for the first time; again, may be the fact 'oob' is only
supported in 2.6.2 makes a difference. Please also check the demo I
linked to in the prev post
Cheers, Sergey
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712827.html
> Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by mayankeagle <ma...@yahoo.com>.
Ok, that was my mistake to pass the Authorization header, I was just calling
the same function on the client side and only changing the method from POST
to GET.
Without the Authorization header, I'm just sending a GET call to
"http://ProjectName/services/authorize?oauth_token=xyz" and now I'm getting
a "WARNING: Client is invalid" error on the server logs. I think this is
because the oauth_consumer is not specified in the URL/ header. Am I missing
something here?
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712827.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 27/08/12 15:30, mayankeagle wrote:
> I have another question on O-Auth at
> http://cxf.547215.n5.nabble.com/OAuth-1-0-in-CXF-2-6-2-td5713150.html - this
> is for a Java based non UI client.
>
> I'd appreciate your help in resolving this as well. Thanks.
>
I believe this is "OAuth 1.0 in CXF 2.6.2" thread...
Sergey
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5713155.html
> Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by mayankeagle <ma...@yahoo.com>.
I have another question on O-Auth at
http://cxf.547215.n5.nabble.com/OAuth-1-0-in-CXF-2-6-2-td5713150.html - this
is for a Java based non UI client.
I'd appreciate your help in resolving this as well. Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5713155.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 21/08/12 17:13, mayankeagle wrote:
> I got it to work, thanks for your help. I will try with 2.6.2 also.
>
Very good, thanks for the confirmation
> I need your recommendation on some points:
>
> * I had the OAuthFilter also trapping requests to the request token service,
> authorization service and access token service - that is why the signature
> validation was being done in the authorization process too; it was the
> filter that was doing it. Do you recommend this configuration? Or should the
> filter only trap the requests to the business REST services that I have
> written.
The filter has been written with the assumption that it is going to
protect the business services.
When we have an authorization request, the typical immediate client is
actually a user which is being redirected by a 3rd party client, and I
guess it has to be the same in case of the 'implicit' flow which is how
you do it, with the script doing the work, so it is the end user that
has to authenticate at this stage - for the end user credentials
captured and linked to from the request (and later) access token
>
> * When I had the filter trapping the access token requests, at one point of
> time I had the filter allowing the signature and I had the access token
> service denying the signature. That seemed strange. Any idea why this would
> be happening?
Perhaps some of the request parameters could be read only once, may be
the (google) library has something to do with that, so the 2nd signature
calculation was failing...
>
> * Is the documentation at the Apache site updated with whatever changes are
> there in 2.6.2 with respect to HTTP requests/ responses and XML
> configurations?
>
2.6.2 has the following OAuth 1.0 updates (all thanks to Evgeni Kisel):
- oob support
- nonce + timestamp validation (in memory by default but can be customized)
- better error reporting
All of the above has been documented
Cheers, Sergey
> Thanks.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712888.html
> Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by mayankeagle <ma...@yahoo.com>.
I got it to work, thanks for your help. I will try with 2.6.2 also.
I need your recommendation on some points:
* I had the OAuthFilter also trapping requests to the request token service,
authorization service and access token service - that is why the signature
validation was being done in the authorization process too; it was the
filter that was doing it. Do you recommend this configuration? Or should the
filter only trap the requests to the business REST services that I have
written.
* When I had the filter trapping the access token requests, at one point of
time I had the filter allowing the signature and I had the access token
service denying the signature. That seemed strange. Any idea why this would
be happening?
* Is the documentation at the Apache site updated with whatever changes are
there in 2.6.2 with respect to HTTP requests/ responses and XML
configurations?
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712888.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 21/08/12 12:23, mayankeagle wrote:
> I haven't tried the 2.6.2. Good to know that it is released, will do that
> soon.
>
> I got the authorization bit to work - I used my own custom authorization
> service and handler which basically have the same code that the 2.6.1
> authorization service and handler have but I made some changes for handling
> the "oob" scenario.
>
Please check 2.6.2, I'd like to know how easy will it be for you to
customize the OOB response. I'm presuming at the moment that you return
some custom HTML page from the customized service, with 2.6.2 that can
be delegated to the dedicated view handlers
> Now onto the access token. Will let you know if there are any issues. I see
> that in the access token service authorization header, the
> oauth_token_secret is not present but the documentation says that the token
> secret is also used for calculating the signature. So I'll generate the
> signature using both the values, hope that should work.
Yes, the token secret is definitely used...
Cheers, Sergey
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712855.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 in Apache CXF
Posted by mayankeagle <ma...@yahoo.com>.
I haven't tried the 2.6.2. Good to know that it is released, will do that
soon.
I got the authorization bit to work - I used my own custom authorization
service and handler which basically have the same code that the 2.6.1
authorization service and handler have but I made some changes for handling
the "oob" scenario.
Now onto the access token. Will let you know if there are any issues. I see
that in the access token service authorization header, the
oauth_token_secret is not present but the documentation says that the token
secret is also used for calculating the signature. So I'll generate the
signature using both the values, hope that should work.
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712855.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 21/08/12 09:54, mayankeagle wrote:
> I got the authorization to work. However, now I'm getting an error in the
> authorize decision part.
>
> After my data provider's finalizeAuthorization () method is invoked, I get
> an OAuthServiceException on the server and an "Error in authorizing"
> response at the client side. Is this because I don't have a call-back URI
> and have currently set it to 'oob'? As you'd mentioned, the 'oob' support is
> not there in this release? Or am I missing something else here?
>
I'm not sure what is happening, difficult to know without any specific
details. Did you have a chance to try CXF 2.6.2 ? It was actually
released yesterday. Please also run this demo, very easy to run, just
build and do 'mvn jetty:run-war' in 'war':
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth,
check oauth.thirdparty.RestaurantReservationService on how CXF
OAuthClientUtils is used (wrapped a bit there in the code)
Cheers, Sergey
> Thanks for your help so far.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712840.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 in Apache CXF
Posted by mayankeagle <ma...@yahoo.com>.
I got the authorization to work. However, now I'm getting an error in the
authorize decision part.
After my data provider's finalizeAuthorization () method is invoked, I get
an OAuthServiceException on the server and an "Error in authorizing"
response at the client side. Is this because I don't have a call-back URI
and have currently set it to 'oob'? As you'd mentioned, the 'oob' support is
not there in this release? Or am I missing something else here?
Thanks for your help so far.
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712840.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by mayankeagle <ma...@yahoo.com>.
Also, is there a working sample client code that I can use for OAuth 1.0 in
CXF? Java or Javascript would do - please point me to sample code, thanks :)
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712831.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 19/08/12 23:21, mayankeagle wrote:
> Ok, I have a strange issue like a vicious circle now. I got through that
> authorize URL because I was not setting the 'Accept' header properly.
>
> However, now if I make a call from the client as
> "MyAppName/services/authorize?oauth_token=...." and set everything in the
> Authorization header, then the server gives me an error that the oauth_token
> parameter was rejected (this comes from the net.oauth validator because it
> perhaps doesn't want the oauth_token in the signature generation for the
> authorize request),
> and if I remove the "oauth_token" parameter from the
> URL, then it goes through the OAuth message validation but then the
> authorization service itself says that it didn't find the token.
>
When the client requests a token authorization, no signature has to be
calculated and no Authorization header is expected by the service. I
think the validation fails because a single oauth_token is expected but
if you also include Authorization header we end up with more than one
parameter
Why do you prepare Authorization ? Is it because you get a JavaScript
client running ? I have not seen anything in the spec that suggests that
Authorization service needs to accept Authorization
Cheers, Sergey
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712772.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 in Apache CXF
Posted by mayankeagle <ma...@yahoo.com>.
Ok, I have a strange issue like a vicious circle now. I got through that
authorize URL because I was not setting the 'Accept' header properly.
However, now if I make a call from the client as
"MyAppName/services/authorize?oauth_token=...." and set everything in the
Authorization header, then the server gives me an error that the oauth_token
parameter was rejected (this comes from the net.oauth validator because it
perhaps doesn't want the oauth_token in the signature generation for the
authorize request), and if I remove the "oauth_token" parameter from the
URL, then it goes through the OAuth message validation but then the
authorization service itself says that it didn't find the token.
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712772.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 in Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
By the way, Dan staged 2.6.2 at
https://repository.apache.org/content/repositories/orgapachecxf-004/
so you can it try it now, before the release is complete
Sergey
On 17/08/12 12:00, Sergey Beryozkin wrote:
> Hi
> On 17/08/12 07:04, mayankeagle wrote:
>> Hi,
>>
>> I'm trying to create an OAuth 1.0 server using CXF. I have written my own
>> custom OAuthDataProvider implementation, which maintains the client
>> details
>> and token details in memory (hash-table). I also have another Javascript
>> client, which I am using to invoke the REST web-service that is protected
>> via the CXF OAuth filter.
>>
>> However, even upon providing the correct consumer key and secret, I am
>> always getting a 401 Unauthorized on the client side. I know that the
>> signature is getting generated correctly because I use the same client to
>> invoke a JBoss RESTEasy OAuth server as well with minor changes in the
>> syntax.
>>
>> Below is the Authorization header of the POST request which is sent
>> from the
>> client for obtaining the request token (as per
>> http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-RequestTokenService):
>>
>>
>> OAuth
>> oauth_callback="oob",oauth_consumer_key="C1",oauth_signature_method="HMAC-SHA1",oauth_version="1.0",oauth_timestamp="1345183118",oauth_nonce="1TtaP6",oauth_signature="5Kpy%2FdJXAhFLFWbXXCI1NPGb2L0%3D"
>>
>>
>> Am I missing something here? Is it that these parameters have to be sent
>> without the quotes or differently?
>>
>
> I removed the "oob" support from the original contribution but put it
> back - will be available in CXF 2.6.2 - to be released in a couple of days.
>
> Please see this section for more information:
>
> http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-OOBcallbacks
>
> Note the following restriction: 'oob' has to be specified during the
> client registration.
> Also note that RequestTokenService will return
> OOBAuthorizationResponse bean which will have to be linked to the view
> handler, see this section on how to do it:
>
> http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider
>
>
> or check this demo, there are few examples there:
>
> https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth
>
> HTH, Sergey
>
>> Upon putting debug messages in my OAuthDataProvider, I can see that it is
>> finding the client as it enters the getClient () method which finds the
>> client in the hash-table, but after that the createRequestToken ()
>> method is
>> never called and a 401 is thrown.
>>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 in Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 17/08/12 07:04, mayankeagle wrote:
> Hi,
>
> I'm trying to create an OAuth 1.0 server using CXF. I have written my own
> custom OAuthDataProvider implementation, which maintains the client details
> and token details in memory (hash-table). I also have another Javascript
> client, which I am using to invoke the REST web-service that is protected
> via the CXF OAuth filter.
>
> However, even upon providing the correct consumer key and secret, I am
> always getting a 401 Unauthorized on the client side. I know that the
> signature is getting generated correctly because I use the same client to
> invoke a JBoss RESTEasy OAuth server as well with minor changes in the
> syntax.
>
> Below is the Authorization header of the POST request which is sent from the
> client for obtaining the request token (as per
> http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-RequestTokenService):
>
> OAuth
> oauth_callback="oob",oauth_consumer_key="C1",oauth_signature_method="HMAC-SHA1",oauth_version="1.0",oauth_timestamp="1345183118",oauth_nonce="1TtaP6",oauth_signature="5Kpy%2FdJXAhFLFWbXXCI1NPGb2L0%3D"
>
> Am I missing something here? Is it that these parameters have to be sent
> without the quotes or differently?
>
I removed the "oob" support from the original contribution but put it
back - will be available in CXF 2.6.2 - to be released in a couple of days.
Please see this section for more information:
http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-OOBcallbacks
Note the following restriction: 'oob' has to be specified during the
client registration.
Also note that RequestTokenService will return
OOBAuthorizationResponse bean which will have to be linked to the view
handler, see this section on how to do it:
http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider
or check this demo, there are few examples there:
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth
HTH, Sergey
> Upon putting debug messages in my OAuthDataProvider, I can see that it is
> finding the client as it enters the getClient () method which finds the
> client in the hash-table, but after that the createRequestToken () method is
> never called and a 401 is thrown.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com