Jazz GC sends a request to our cmServiceProviders resource with a Bearer token that returns CWWKS1619E on querying JAS
Using CLM 6.0.6 with ifix02 and Jazz Authorization Server (JAS).
We have developed a RM service provider and registered it as a client to JAS for single sign-on.
When I navigate Jazz Global Configuration (GC), go to "Project Areas" menu, click on one project area and then click "Explore Project", GC sends a request to our cmServiceProviders resource (that is published in our rootservices document) with an Authorization header containing a Bearer token. Our application queries the JAS userInfo endpoint to get information about this token. An error is return with 400 with this header info: WWW-Authenticate: Bearer error=invalid_request, error_description=CWWKS1619E: A userinfo request was made with an access token that did not have the 'openid' scope. The request URI was /oidc/endpoint/jazzop/userinfo., scope=openid
If I skip the security check for this resource and return the resource to Jazz GC then GC sends another request to oslc:serviceprovider resource (published in the previous document returned) with the same invalid Bearer token.
If I return this resource too then another request comes in for oslc:publisher:application-about resource (published in rootservices document) with the same invalid Bearer token.
After returning all three resources without security check, all the subsequent requests to our service provider comes in with a Another valid Bearer token that passes the security checks. We can open configuration selection dialog from our provider and add streams to the GC streams.
I have two questions:
1. Are we supposed to protect these three resources? (cmServiceProviders & oslc:publisher:application-about published in rootservices and oslc:serviceProvider published in cmserviceProviders document)
2. If yes to question 1 then why the Bearer token sent in Authorization header while opening a GC project area is not being authenticated from the JAS userinfo endpoint?
|
Be the first one to answer this question!
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.
Comments
I cannot answer your question. But maybe this helps, in case you did not find it yet.?
I have already read this page. At the end of this page, in the first paragraph of 'Downstream OAuth1 challenges' it clearly says that server A trying to access data from server B needs to send a Bearer token which server B needs to verify with JAS userinfo endpoint. And this error is occurring in that checking of the Bearer token.