Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Accessing protected resources with access token

Questions
Tags
Users
Badges
chathurika brahmana
(112) Jun 23 '21, 2:04 p.m.

 Hello,

After implementing an OAuth dance and retrieving the access token/secret pair, I have been trying to use it to access protected resources. My request is of the type:

requests.get('https://IP:PORT/rm/publish/modules?projectName=PROJECTNAME&ptext=true', auth=oauth, verify=/path/to/cert) where oauth is generated through requests_oauthlib and contains:
  • Consumer key
  • Consumer secret
  • access token
  • access token secret
I am getting a 400 error from the get request, and on checking the server logs I see that the identity server (/jts/jauth-check-auth) responds with a 500 internal server error due to an exception thrown from com.ibm.team.jfs.app.auth.IdentityHelper.doCheckAuth
Jazz version is 6.0.6, any ideas? Thanks

0 votes

Comments
Ian Barnard
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 23 '21, 3:06 p.m.

See my answer

2 answers
2,255 views
0 votes

2 answers

Permanent link
Ian Barnard
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (2.4k714) Jun 23 '21, 3:07 p.m.

 Hi


Rather than using requests.get() - which you would have to populate with headers and cookies for every operation you want to do - you should create a requests session (let's say this session is called s) to do the authentication, so it gets the cookies from the auth, then use that session as in s.get() and for all further operations to the server, i.e. a single session s, used for all operations including authentication.

HTH
Ian

0 votes

Comments
chathurika brahmana
Jun 24 '21, 11:57 a.m.

 Hello, 


On using requests session instead, while I can see the set cookies from the auth dance, the same problem persists.

Ian Barnard
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 25 '21, 6:12 a.m.
I don't think your authorization is working, although TBH I'd expect you to get 403 rather than 400.

I've only ever used form authentication from Python (like your browser does, using username/password). See under heading "FORM challenge" here https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication - except that for a GET this statement "you always have to replay the original request" is wrong but doesn't do harm, what I see is that the successful response to the auth GET is automatic redirection to the original GET location, i.e. no need to replay. If the original request was a POST you *would* have to replay the original because http protocol specifies that redirects can only use GET.

Summary: For FORM auth you do the GET which returns 200 flagged with the authrequired; you build an authentication URL and if successful the response is 200 with cookie JAZZ_AUTH_TOKEN and contains the data originally requested.

After authenticating does your session have a cookie JAZZ_AUTH_TOKEN?

Ian Barnard
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 25 '21, 11:10 a.m.

Or for JAS when the auth is complete you have cookies JSA_AUTH_COMPLETE, JSA_SESSION_IDENTITY and JSESSIONID (i.e. there is no JAZZ_AUTH_TOKEN cookie)

Ian Barnard
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 25 '21, 12:41 p.m.

Hmm, I've just checked on a different server near me and it returns 400 from https://SERVER:PORT/rm/pubish/resources/* and I know the authentication I'm using works on that server - so check this on your server by opening the url in a browser, If publishing isn't disabled/blocked this should give some XML results - if it gives a 400 then I guess the publish service is disabled/blocked.

chathurika brahmana
Jun 28 '21, 8:53 a.m.

Thank you for all the help, you were right that the authorization wasn't working, I had unknowingly skipped a part of the process, was operating under the assumption that by running the authorization request on the JTS server, that no user interaction was necessary, since I was obtaining a pair of access key/secret. This was false, I still had to access the page manually and authorize the request token (?), after doing so, I was able to access the protected resources easily.

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) Jun 25 '21, 6:15 a.m.

If you log into RM as a client, as far as I know, you have to do that against JTS and not RM. The reason is that RM delegates its authentication to JTS (other than EWM, ETM).


I am not sure if that applies to OAuth as well. 

0 votes

Comments
chathurika brahmana
Jun 27 '21, 3:32 p.m.

The authentication is done on JTS, specifically

https://IP:PORT/jts/oauth-request-token 
https://IP:PORT/jts/oauth-authorize?oauth_token=TOKEN&Authorize=True
https://IP:PORT/jts/oauth-access-token

as per https://jazz.net/wiki/bin/view/Main/JFSCoreSecurity#Application_Authentication

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 10,936
× 478
× 35
× 25
× 6

Question asked: Jun 23 '21, 2:04 p.m.

Question was seen: 2,255 times

Last updated: Jun 28 '21, 8:53 a.m.

Confirmation Cancel Confirm