OIDC Connection to IBM ELM SaaS Environment
Carson Holmes Carson Holmes (11●1)
| asked May 14 '23, 3:50 p.m.
edited May 15 '23, 4:36 a.m. by Ian Barnard (1.9k●6●13) From a native client, I am trying to connect to ELM. I have generated an app-password for my credentials at the <base_url>/oidc/endpoint/jazzop/personalTokenManagement, and these credentials work to connect using the ETM Importer/Exporter Excel Add-On. I am following these instructions when trying to get authenticated: https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication specifically the Bearer challenges for comprehensive well-behaving clients section. Here is my experience and where I am stuck:
|
One answer
Ralph Schoon (63.1k●3●36●46)
| answered May 15 '23, 2:45 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER edited May 15 '23, 3:05 a.m.
In the code I wrote (username and password are for the user and not from the friends relationship.):
In step 3, you get a 200, but that does not mean there is a form auth request.
In this case you are supposed to check if X-JSA-LOGIN-REQUIRED is in the response header. If you get this header, you need to log in. You get X-JSA-AUTHORIZATION-REDIRECT. You should get a 200 or a 401 back.
If you get a 200, if the response contains the header X-com-ibm-team-integration-jazzop-auth-msg you get the X-JSA-AUTHORIZATION-REDIRECT and pass a basic auth with username and password, you should get a 200 and are logged in.
If you get a 401, the system is using Kerberos. I have not implemented this path and can only point to https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication for this case.
Also have a look if https://www.google.com/search?q=OIDC+site%3Ajazz.net provides some more information. I tried to cover that in https://rsjazz.wordpress.com/2021/10/15/elm-authentication since you commented there. An extract from my code. if (oauth1.status_code == requests.codes.ok):
if ('X-JSA-LOGIN-REQUIRED' in oauth1.headers):
xjsaloginrequired = oauth1.headers.get('X-JSA-LOGIN-REQUIRED')
if (xjsaloginrequired == 'true'):
# Need to authenticate / Need to re-authenticate
oauth2res = self.session.get(url=xjsaauthredirect, headers=header, verify=False)
#identityProvider = oauth2res.request.url
if (oauth2res.status_code == requests.codes.ok): # 200
if ('X-com-ibm-team-integration-jazzop-auth-msg' in oauth2res.headers):
xcomjazzop = oauth2res.headers.get('X-com-ibm-team-integration-jazzop-auth-msg')
self.dPrint(f"X-com-ibm-team-integration-jazzop-auth-msg {xcomjazzop}", True)
selfauth = HTTPBasicAuth(self.username, self.password)
oauth3Authres = self.session.get(url=xjsaauthredirect, headers=header,
auth=selfauth, verify=False)
authstat = oauth3Authres.status_code
if (oauth3Authres.status_code == requests.codes.ok):
return self.internalRetry(method=method, URI=URI, header=header,
payload=payload, fileName=fileName + '4-Retry.xml')
else:
return False, oauth3Authres
return False, oauth2res
if (oauth2res.status_code == requests.codes.unauthorized): # 401
self.dPrint("OAuth2 401 - Kerberos or Basic not yet implemented", True)
return False, oauth2res
self.dPrint("OAuth2 Unexpected responseStatus:" + oauth2res.status_code, True)
return False, oauth2res
Comments All the steps above are actually explained in the blog post.
Sorry Ralph, I forgot to mention on the 200 error, I do get X-JSA-LOGIN-REQUIRED: true. I don't believe the system is using Kerberos, but will check with ClearObject. I think BasicAuth is also disabled in this environment. When I authenticate successfully with the Excel add-on, I use userID and OIDC app-password, not password, so there must be a path here. I can not get BasicAuth to work with the Excel add-on.
I can not seem to supply userID and OIDC app-password (or basic password) correctly to get passed the 401 error. Would this command work with app-password instead of BasicAuth?
selfauth = HTTPBasicAuth(self.username, self.password)
Ralph Schoon
commented May 15 '23, 10:09 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
I was given a system to try and I also run into the 401. I tested my code in the past ands it was working. No idea what is happening at the moment.
Ralph Schoon
commented May 15 '23, 10:18 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
If you want to try if basic auth works, you would have to send the authentication with every request. If you have different usernames and passwords, try them one by one. I can not get basic auth to work, I'm pretty sure it's disabled. I've inquired from ClearObject have not yet received a response. I have a case open on this now, Case number TS013024550.
Still fighting with this. Found this article https://jazz.net/wiki/bin/view/Main/ApplicationPasswordsAdoption: so started including app-password-enabled on the User-Agent header. That generated an additional response header called X-JSA-APP-PASSWORD-REDIRECT.
When I use that URL and Basic Auth with userID/app-password, I get a 401 with a new response:
{
"error_code": "_invalid_basic_credentials",
"error_message": "Your request is attempting to gain access to an application with Basic credentials, but the credentials are invalid.",
"error_message_explanation": "If an application is using a Basic authorization header to gain access to an application, the credentials are validated with an authorization server which may reject them."
}
However, if the app-password I supply is incorrect, I get a 401 with no response body. It has to be supplied perfectly to get this response, which seems kind of odd.
I also decided to turn on the full TRACE using the ExcelETMImporter tool, looking for clues. Unfortunately, only the URLs are logged an not the headers so am still stuck in the same spot. It also uses the X-JSA-APP-PASSWORD-REDIRECT URL. So that does seem like an important part of the flow. Any ideas what is missing?
showing 5 of 7
show 2 more comments
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.