It's all about the answers!

Ask a question

Accessing protected resources with access token


chathurika brahmana (11) | asked Jun 23 '21, 2:04 p.m.

 Hello,

After implementing an OAuth dance and retrieving the access token/secret pair, I have been trying to use it to access protected resources. My request is of the type:

requests.get('https://IP:PORT/rm/publish/modules?projectName=PROJECTNAME&ptext=true', auth=oauth, verify=/path/to/cert) where oauth is generated through requests_oauthlib and contains:
  • Consumer key
  • Consumer secret
  • access token
  • access token secret
I am getting a 400 error from the get request, and on checking the server logs I see that the identity server (/jts/jauth-check-auth) responds with a 500 internal server error due to an exception thrown from com.ibm.team.jfs.app.auth.IdentityHelper.doCheckAuth
Jazz version is 6.0.6, any ideas? Thanks


Comments
Ian Barnard commented Jun 23 '21, 3:01 p.m. | edited Jun 23 '21, 3:06 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

See my answer

2 answers



permanent link
Ralph Schoon (61.2k33643) | answered Jun 25 '21, 6:15 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

If you log into RM as a client, as far as I know, you have to do that against JTS and not RM. The reason is that RM delegates its authentication to JTS (other than EWM, ETM).


I am not sure if that applies to OAuth as well. 


Comments
chathurika brahmana commented Jun 27 '21, 3:32 p.m.

The authentication is done on JTS, specifically

https://IP:PORT/jts/oauth-request-token 
https://IP:PORT/jts/oauth-authorize?oauth_token=TOKEN&Authorize=True
https://IP:PORT/jts/oauth-access-token

as per https://jazz.net/wiki/bin/view/Main/JFSCoreSecurity#Application_Authentication


permanent link
Ian Barnard (1.4k613) | answered Jun 23 '21, 3:07 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

 Hi


Rather than using requests.get() - which you would have to populate with headers and cookies for every operation you want to do - you should create a requests session (let's say this session is called s) to do the authentication, so it gets the cookies from the auth, then use that session as in s.get() and for all further operations to the server, i.e. a single session s, used for all operations including authentication.

HTH
Ian


Comments
chathurika brahmana commented Jun 24 '21, 11:57 a.m.

 Hello, 


On using requests session instead, while I can see the set cookies from the auth dance, the same problem persists.


Ian Barnard commented Jun 25 '21, 5:20 a.m. | edited Jun 25 '21, 6:12 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
I don't think your authorization is working, although TBH I'd expect you to get 403 rather than 400.

I've only ever used form authentication from Python (like your browser does, using username/password). See under heading "FORM challenge" here https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication - except that for a GET this statement "you always have to replay the original request" is wrong but doesn't do harm, what I see is that the successful response to the auth GET is automatic redirection to the original GET location, i.e. no need to replay. If the original request was a POST you *would* have to replay the original because http protocol specifies that redirects can only use GET.

Summary: For FORM auth you do the GET which returns 200 flagged with the authrequired; you build an authentication URL and if successful the response is 200 with cookie JAZZ_AUTH_TOKEN and contains the data originally requested.

After authenticating does your session have a cookie JAZZ_AUTH_TOKEN?


Ian Barnard commented Jun 25 '21, 11:10 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Or for JAS when the auth is complete you have cookies JSA_AUTH_COMPLETE, JSA_SESSION_IDENTITY and JSESSIONID (i.e. there is no JAZZ_AUTH_TOKEN cookie)


Ian Barnard commented Jun 25 '21, 12:41 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Hmm, I've just checked on a different server near me and it returns 400 from https://SERVER:PORT/rm/pubish/resources/* and I know the authentication I'm using works on that server - so check this on your server by opening the url in a browser, If publishing isn't disabled/blocked this should give some XML results - if it gives a 400 then I guess the publish service is disabled/blocked.


chathurika brahmana commented Jun 28 '21, 8:53 a.m.

Thank you for all the help, you were right that the authorization wasn't working, I had unknowingly skipped a part of the process, was operating under the assumption that by running the authorization request on the JTS server, that no user interaction was necessary, since I was obtaining a pair of access key/secret. This was false, I still had to access the page manually and authorize the request token (?), after doing so, I was able to access the protected resources easily.

Your answer


Register or to post your answer.