It's all about the answers!

Ask a question

Jazz GC sends a request to our cmServiceProviders resource with a Bearer token that returns CWWKS1619E on querying JAS

Saqib Niaz (711223) | asked Nov 09 '18, 9:39 a.m.
edited Nov 09 '18, 11:29 a.m.
Using CLM 6.0.6 with ifix02 and Jazz Authorization Server (JAS).
We have developed a RM service provider and registered it as a client to JAS for single sign-on.
When I navigate Jazz Global Configuration (GC), go to "Project Areas" menu, click on one project area and then click "Explore Project", GC sends a request to our cmServiceProviders resource (that is published in our rootservices document) with an Authorization header containing a Bearer token. Our application queries the JAS userInfo endpoint to get information about this token. An error is return with 400 with this header info: WWW-Authenticate: Bearer error=invalid_request, error_description=CWWKS1619E: A userinfo request was made with an access token that did not have the 'openid' scope. The request URI was /oidc/endpoint/jazzop/userinfo., scope=openid
If I skip the security check for this resource and return the resource to Jazz GC then GC sends another request to oslc:serviceprovider resource (published in the previous document returned) with the same invalid Bearer token.
If I return this resource too then another request comes in for oslc:publisher:application-about resource (published in rootservices document) with the same invalid Bearer token.
After returning all three resources without security check, all the subsequent requests to our service provider comes in with a Another valid Bearer token that passes the security checks. We can open configuration selection dialog from our provider and add streams to the GC streams.
I have two questions:
1. Are we supposed to protect these three resources? (cmServiceProviders & oslc:publisher:application-about published in rootservices and oslc:serviceProvider published in cmserviceProviders document)
2. If yes to question 1 then why the Bearer token sent in Authorization header while opening a GC project area is not being authenticated from the JAS userinfo endpoint?

Ralph Schoon commented Nov 09 '18, 9:52 a.m.

I cannot answer your question. But maybe this helps, in case you did not find it yet.?

Saqib Niaz commented Nov 09 '18, 11:25 a.m.

 I have already read this page. At the end of this page, in the first paragraph of 'Downstream OAuth1 challenges' it clearly says that server A trying to access data from server B needs to send a Bearer token which server B needs to verify with JAS userinfo endpoint. And this error is occurring in that checking of the Bearer token.

In my opinion, just the 'openid' scope is missing for the Bearer token sent to us. If this scope can be added to this token, the problem will be resolved. As, we would get user info from JAS and would be able to continue.

Be the first one to answer this question!

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.