OIDC Connection to IBM ELM SaaS Environment
From a native client, I am trying to connect to ELM. I have generated an app-password for my credentials at the <base_url>/oidc/endpoint/jazzop/personalTokenManagement, and these credentials work to connect using the ETM Importer/Exporter Excel Add-On. I am following these instructions when trying to get authenticated: https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication specifically the Bearer challenges for comprehensive well-behaving clients section. Here is my experience and where I am stuck:
- I call a URI to get a list of projects from qm, <base_url>/qm/service/com.ibm.rqm.integration.service.IIntegrationService/projects, as expected I get a 401 status code with the X-JSA-AUTHORIZATION-REDIRECT URL.
- So then I do a get with the X-JSA-AUTHORIZATION-REDIRECT URL and append the &prompt=none to the end. As expected I get a 200 status code, and X-JSA-LOGIN_REQUIRED: true. So proceed to the Step 3 as per the instructions.
- Then I do a get with the X-JSA-AUTHORIZATION-REDIRECT URL and do not append the &prompt=none. This is where I am stuck, I either get a 200 status code with a FORM challenge, or if I supply a well-formed Authorization header, such as Basic with userID:app-password, I get Error 401: SRVE0295E: Error reported: 401. I've tried all kinds of things in Postman and Python to get this to work, but can't get passed the 401 error. In Step 3, bullet iv, it mentions in red a "Work in progress" that may apply to my SAML SSO situation. Any guidance here would be greatly appreciated.
One answer
Also have a look if https://www.google.com/search?q=OIDC+site%3Ajazz.net provides some more information.
I tried to cover that in https://rsjazz.wordpress.com/2021/10/15/elm-authentication since you commented there. An extract from my code.
if (oauth1.status_code == requests.codes.ok): if ('X-JSA-LOGIN-REQUIRED' in oauth1.headers): xjsaloginrequired = oauth1.headers.get('X-JSA-LOGIN-REQUIRED') if (xjsaloginrequired == 'true'): # Need to authenticate / Need to re-authenticate oauth2res = self.session.get(url=xjsaauthredirect, headers=header, verify=False) #identityProvider = oauth2res.request.url if (oauth2res.status_code == requests.codes.ok): # 200 if ('X-com-ibm-team-integration-jazzop-auth-msg' in oauth2res.headers): xcomjazzop = oauth2res.headers.get('X-com-ibm-team-integration-jazzop-auth-msg') self.dPrint(f"X-com-ibm-team-integration-jazzop-auth-msg {xcomjazzop}", True) selfauth = HTTPBasicAuth(self.username, self.password) oauth3Authres = self.session.get(url=xjsaauthredirect, headers=header, auth=selfauth, verify=False) authstat = oauth3Authres.status_code if (oauth3Authres.status_code == requests.codes.ok): return self.internalRetry(method=method, URI=URI, header=header, payload=payload, fileName=fileName + '4-Retry.xml') else: return False, oauth3Authres return False, oauth2res if (oauth2res.status_code == requests.codes.unauthorized): # 401 self.dPrint("OAuth2 401 - Kerberos or Basic not yet implemented", True) return False, oauth2res self.dPrint("OAuth2 Unexpected responseStatus:" + oauth2res.status_code, True) return False, oauth2res
Comments
All the steps above are actually explained in the blog post.
Note, as far as I understand, you can try to use Basic Authentication as a fallback for JAS based systems, if needed.
Sorry Ralph, I forgot to mention on the 200 error, I do get X-JSA-LOGIN-REQUIRED: true. I don't believe the system is using Kerberos, but will check with ClearObject. I think BasicAuth is also disabled in this environment. When I authenticate successfully with the Excel add-on, I use userID and OIDC app-password, not password, so there must be a path here. I can not get BasicAuth to work with the Excel add-on.
selfauth = HTTPBasicAuth(self.username, self.password)
I was given a system to try and I also run into the 401. I tested my code in the past ands it was working. No idea what is happening at the moment.
If you want to try if basic auth works, you would have to send the authentication with every request. If you have different usernames and passwords, try them one by one.
I can not get basic auth to work, I'm pretty sure it's disabled. I've inquired from ClearObject have not yet received a response. I have a case open on this now, Case number TS013024550.
I also decided to turn on the full TRACE using the ExcelETMImporter tool, looking for clues. Unfortunately, only the URLs are logged an not the headers so am still stuck in the same spot. It also uses the X-JSA-APP-PASSWORD-REDIRECT URL. So that does seem like an important part of the flow. Any ideas what is missing?