It's all about the answers!

Ask a question

OIDC Connection to IBM ELM SaaS Environment

Carson Holmes Carson Holmes (11) | asked May 14, 3:50 p.m.
edited May 15, 4:36 a.m. by Ian Barnard (1.7k613)

 From a native client, I am trying to connect to ELM.  I have generated an app-password for my credentials at the <base_url>/oidc/endpoint/jazzop/personalTokenManagement, and these credentials work to connect using the ETM Importer/Exporter Excel Add-On.  I am following these instructions when trying to get authenticated: specifically the Bearer challenges for comprehensive well-behaving clients section.  Here is my experience and where I am stuck:

  • I call a URI to get a list of projects from qm, <base_url>/qm/service/, as expected I get a 401 status code with the X-JSA-AUTHORIZATION-REDIRECT URL.
  • So then I do a get with the X-JSA-AUTHORIZATION-REDIRECT URL and append the &prompt=none to the end.  As expected I get a 200 status code, and X-JSA-LOGIN_REQUIRED: true.  So proceed to the Step 3 as per the instructions.
  • Then I do a get with the X-JSA-AUTHORIZATION-REDIRECT URL and do not append the &prompt=none.  This is where I am stuck, I either get a 200 status code with a FORM challenge, or if I supply a well-formed  Authorization header, such as Basic with userID:app-password, I get Error 401: SRVE0295E: Error reported: 401.  I've tried all kinds of things in Postman and Python to get this to work, but can't get passed the 401 error.  In Step 3, bullet iv, it mentions in red a "Work in progress" that may apply to my SAML SSO situation.  Any guidance here would be greatly appreciated.

One answer

permanent link
Ralph Schoon (62.3k33643) | answered May 15, 2:45 a.m.
edited May 15, 3:05 a.m.
In the code I wrote (username and password are for the user and not from the friends relationship.):

In step 3, you get a 200, but that does not mean there is a form auth request. 
In this case you are supposed to check if X-JSA-LOGIN-REQUIRED is in the response header. If you get this header, you need to log in. You get X-JSA-AUTHORIZATION-REDIRECT. You should get a 200 or a 401 back.
If you get a 200, if the response contains the header X-com-ibm-team-integration-jazzop-auth-msg you get the X-JSA-AUTHORIZATION-REDIRECT and pass a basic auth with username and password, you should get a 200 and are logged in.

If you get a 401, the system is using Kerberos. I have not implemented this path and can only point to for this case.

Also have a look if provides some more information.

I tried to cover that in since you commented there. An extract from my code.

                    if (oauth1.status_code ==
                        if ('X-JSA-LOGIN-REQUIRED' in oauth1.headers):
                            xjsaloginrequired = oauth1.headers.get('X-JSA-LOGIN-REQUIRED')
                            if (xjsaloginrequired == 'true'):
                                # Need to authenticate / Need to re-authenticate
                                oauth2res = self.session.get(url=xjsaauthredirect, headers=header, verify=False)
                                #identityProvider = oauth2res.request.url
                                if (oauth2res.status_code ==  # 200
                                    if ('X-com-ibm-team-integration-jazzop-auth-msg' in oauth2res.headers):
                                        xcomjazzop = oauth2res.headers.get('X-com-ibm-team-integration-jazzop-auth-msg')
                                        self.dPrint(f"X-com-ibm-team-integration-jazzop-auth-msg {xcomjazzop}", True)
                                    selfauth = HTTPBasicAuth(self.username, self.password)
                                    oauth3Authres = self.session.get(url=xjsaauthredirect, headers=header,
                                                                     auth=selfauth, verify=False)
                                    authstat = oauth3Authres.status_code
                                    if (oauth3Authres.status_code ==
                                        return self.internalRetry(method=method, URI=URI, header=header,
                                                                  payload=payload, fileName=fileName + '4-Retry.xml')
                                        return False, oauth3Authres
                                    return False, oauth2res
                                if (oauth2res.status_code ==  # 401
                                    self.dPrint("OAuth2 401 - Kerberos or Basic not yet implemented", True)
                                    return False, oauth2res
                                self.dPrint("OAuth2 Unexpected responseStatus:" + oauth2res.status_code, True)
                                return False, oauth2res


Ralph Schoon commented May 15, 5:25 a.m.

All the steps above are actually explained in the blog post. 

Note, as far as I understand, you can try to use Basic Authentication as a fallback for JAS based systems, if needed. 

Carson Holmes Carson Holmes commented May 15, 9:34 a.m.

Sorry Ralph, I forgot to mention on the 200 error, I do get X-JSA-LOGIN-REQUIRED: true.  I don't believe the system is using Kerberos, but will check with ClearObject.  I think BasicAuth is also disabled in this environment.  When I authenticate successfully with the Excel add-on, I use userID and OIDC app-password, not password, so there must be a path here.  I can not get BasicAuth to work with the Excel add-on.

I can not seem to supply userID and OIDC app-password (or basic password) correctly to get passed the 401 error.  Would this command work with app-password instead of BasicAuth?

selfauth = HTTPBasicAuth(self.username, self.password) 

Ralph Schoon commented May 15, 10:09 a.m.

I was given a system to try and I also run into the 401. I tested my code in the past ands it was working. No idea what is happening at the moment.

Ralph Schoon commented May 15, 10:18 a.m.

 If you want to try if basic auth works, you would have to send the authentication with every request. If you have different usernames and passwords, try them one by one.

Carson Holmes Carson Holmes commented May 15, 1:43 p.m.

I can not get basic auth to work, I'm pretty sure it's disabled.  I've inquired from ClearObject have not yet received a response.  I have a case open on this now, Case number TS013024550. 

Carson Holmes Carson Holmes commented May 25, 7:03 p.m.
Still fighting with this.  Found this article so started including app-password-enabled on the User-Agent header.  That generated an additional response header called X-JSA-APP-PASSWORD-REDIRECT.
When I use that URL and Basic Auth with userID/app-password, I get a 401 with a new response:
    "error_code": "_invalid_basic_credentials",
    "error_message": "Your request is attempting to gain access to an application with Basic credentials, but the credentials are invalid.",
    "error_message_explanation": "If an application is using a Basic authorization header to gain access to an application, the credentials are validated with an authorization server which may reject them."
However, if the app-password I supply is incorrect, I get a 401 with no response body.  It has to be supplied perfectly to get this response, which seems kind of odd.

Carson Holmes Carson Holmes commented May 25, 7:05 p.m.

I also decided to turn on the full TRACE using the ExcelETMImporter tool, looking for clues.  Unfortunately, only the URLs are logged an not the headers so am still stuck in the same spot.  It also uses the X-JSA-APP-PASSWORD-REDIRECT URL.  So that does seem like an important part of the flow.  Any ideas what is missing?

showing 5 of 7 show 2 more comments

Your answer

Register or to post your answer.