After getting accessToken, Jazz doesn't send OAuth credentials with subsequent requests to access data
Benjamin Röhl (167●14●25)
| asked Nov 12 '15, 10:39 a.m.
retagged Jan 29 '16, 10:35 a.m. by Patricia Der (501●1)
I am developing a web application and want the Jazz application to access my application’s data using OAuth protocol version 1.0A RFC5849. I have registered my application in friends list of Jazz application.
In the Jazz application, I go to Quality Management, select my project, select a Test Case and then click the “Requirement Links”. Now, I try to add new Requirement Link by clicking the plus button (Add new links). A pop up opens and Jazz sends a request to my server, at that point OAuth protocol executes and an accessToken is issued to Jazz.
Then Jazz sends the OAuth header with a subsequent request to my server and successfully gets the required data. Then Jazz sends another request to my server but this time OAuth header doesn't come in with the request. And my application fails to check the authenticity of the request and refuses to send anything back.
So why doesn’t Jazz sends the OAuth header with all the subsequent requests?
|
Accepted answer
Donald, and Benjamin, were you able to get the Lyo Bugzilla sample integration with RQM?
Note, to configure RQM as a consumer of the OSLC RM V2 service provider: a) Create a friend between RQM and the OSLC RM V2 service provider application (see https://jazz.net/help-dev/clm/topic/com.ibm.jazz.repository.web.admin.doc/topics/tservertoserverestablish.html). Note, the OSLC RM V2 service provider application MUST implement OAuth 1a and 'fake' a Jazz root services document, which is the purpose of the OSLC4J registry web application (see http://wiki.eclipse.org/Lyo/BuildingOSLC4J#The_OSLC4J_registry_web_application). b) Associate the OSLC RM V2 service provider application with the RQM project area (see https://jazz.net/help-dev/clm/topic/com.ibm.jazz.platform.doc/topics/t_adding_associations_web.html). For more information, see http://git.eclipse.org/c/lyo/org.eclipse.lyo.docs.git/plain/Lab1/Lyo_OSLC_Workshop.pdf Benjamin Röhl selected this answer as the correct answer
Comments
Donald Nong
commented Jan 28 '16, 7:54 p.m.
Hi Paul, I have not been able to allocate a long enough time slot to do this. I will add my observation to this post if I manage to complete the task.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.
Comments
I believe not many people have an environment similar to yours to see such symptoms. Maybe you can give more details about the issue. For example, what are those requests?
Me and Benjamin Röhl are working on this project.
Here are the details of my project:
It is more or less a copy of example project on open-services.net i.e. org.eclipse.lyo.oslc4j.bugzilla.
When I go to jazz/qm, select my project from the Project Dashboards, click Construction->Select a test case, click Requirement Links, now when I press + button to add a new Requirement Link, jazz sends a request to my project urlOfServer/services/serviceProviders/projectID, first time this request doesn’t contain oauth or basic credentials, a 403 unauthorized is sent back, jazz sends requests for oauth handshake namely, requestToken, authorize and accessToken, after successfully getting the accessToken, jazz sends again the same old request urlOfServer/services/serviceProviders/projectID with oauth credentials, the request is authorized in CredentialsFilter. A connector attribute is set in the session object during the login for authorization of oauth request token.
Now, after this, jazz automatically sends a request to changeRequestDialog of Bugzilla, but this time jazz doesn’t send oauth credentials but we are in the same session as on the login page previously, so we are able to access the connector attribute set in the session. Data is being returned on the basis of connector attribute set in the session object instead of oauth credentials. We expect oauth credentials with each subsequent request as stated in the RFC. The purpose of whole oauth protocol dies down if, at the end, we have to return data based on the session attributes instead of oauth credentials.
So, all the subsequent requests to changeRequestDialog doesn’t contain the oauth credentials.Hello Donald, could you read the details from my colleague Saqib.