It's all about the answers!

Ask a question

OSLC Request Token


Tiberius Opitz (1314) | asked Mar 09 '17, 7:37 a.m.

Hello colleagues,

I'm currently implementing an OSLC Client, that should consume data from Jazz (especially RM). Now I see that the request token URL directed to JTS in the RM root service. But in JTS I do not defined any consumer key, but in rm. I do not need any information form JTS, do I need to define a (second) customer key also for JTS to get access to RM?

By the way I realized that also /rm has the request token URL available (but it is not referenced in the root services at all). Can you please explain me, when to use the /jts/oauth-request-token and when the /rm/oauth-request-token?

I see that if I'm not authenticated (form login with user credentials), I don't have any access to this pages (oauth-request-token, oauth-authorize, oauth-access-token). Why is neccessary to log in to have access to this pages? I thought that the token authentification is made to authenticate applications, so no user account should be neccessary to get worked with that.
Just to be sure for the process, do i need to make all the 3 steps at any connection (1.oauth-request-token, 2.oauth-authorize, 3.oauth-access-token) or it is ok, if I use the token returned from step 1 for any of my futute connections and just request a new access token (step 3)?

Cheers Tiberius

Accepted answer


permanent link
Jim Ruehlin (79114) | answered Mar 13 '17, 1:33 p.m.
JAZZ DEVELOPER

  <style type="text/css"> p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 18.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 18.0px Helvetica; min-height: 22.0px} </style>

Hello Tiberius,


It sounds like you're trying to authenticate between an OSLC client and RM. This is more of an OAuth issue than an OSLC issue. You should only need to authenticate with RM. RM will authenticate with JTS as needed.


Establish a friend relationship between RDNG (RM) and your OSLC client in the RM admin page. When you create the friend relationship, you'll establish a consumer key that you can use in your client to authenticate with RDNG. If I'm not mistaken, you provide the consumer key when you need to do 3-legged OAuth to get your token. You still need to do 3-legged OAuth (the login you asked about) because you need to have a valid token. Tokens expire, so when you need to re-acquire a token you'll need to re-authenticate.


To answer your final question, you can try the token from step 1. If it fails, then you'll need to do all 3 steps to re-acquire a token. 


Here's some Lyo code that provides a sample of OAuth client authentication (2-legged). There are other samples in Lyo that you can take a look at as well.

<style type="text/css"> p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 18.0px Helvetica} </style>

Tiberius Opitz selected this answer as the correct answer

Comments
Tiberius Opitz commented Mar 14 '17, 5:06 a.m.

If you want to use the code, please take in consideration that for Jazz the call for the aouth-token-request need to be a POST request and not like common for oauth a get.

You need to set the header X-Jazz-CSRF-Prevent : <<JSESSIONID>> additional.

One other answer



permanent link
Tiberius Opitz (1314) | answered Mar 14 '17, 4:56 a.m.
edited Mar 14 '17, 4:57 a.m.

Dear Jim,

thank you very much for the answer. I had already entered the customer key and customer secret to my application. With your help I succedded to request a token. But unfortunately on the token authorization i will always redirected to a login window of Jazz, where i need an username and password to autorize the token i got formerly. Is there a way to autorize the token, without any user credentials?

I send https://<<server:port>>/rm/oauth-authorize?oauth_token=cb885260b2104ca69589fd2edda8591d
an the response is always:
Header 401 with the body
<html>
    <body onload="location.replace('/rm/loginRedirect?redirect=' + encodeURIComponent(location.href))"/>
</html>

Cheers Tiberius

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.