Hi All,
I am having some difficulty configuring an Oracle ORDS OAuth resource and require some insight as to how the OAuth authentication model works, I have read through the K2 documentation but its not clear to me how the Authenctication Code model would work for K2.
I have the Authorization URL, I have configured all the parameters (tested and confimed with Postman calls) but when I try to use the configured OAuth I get the following message:
When clicking OK it redirects me to a login page with the parameters in the URL being correct. I log in and it then redirects to a url with the Auth code back into Oracle and not to K2 as expected.
I have the following documentaiton from Oracle regarding the Autherization Code approach:
OAuth 2 : Authorization Code
The authorization code flow is a three-legged process. The user accesses a URL in a browser, which prompts for credentials. Once authenticated, the browser is redirected to a specified page with an authhorization code as one of the parameters in the URL. That authorization code is used in a call to generate an access token, which is used to authenticate calls to protected resources. With the exception of the user confirmation, all the other steps in the flow should be handled by the application. All the steps will be presented separately in the example that follows.
Remember to clean up the OAUTH metadata, as described in the Deleting OAUTH Metadata section.
Create a client using the grant type of "authorization_code". The redirect and support URLs are not real, but we will be able to follow the example through anyway.
CONN testuser1/testuser1@pdb1BEGIN OAUTH.create_client( p_name => 'Emp Client', p_grant_type => 'authorization_code', p_owner => 'My Company Limited', p_description => 'A client for Emp management', p_redirect_uri => 'https://ol7-121.localdomain:8443/ords/pdb1/testuser1/redirect', p_support_email => '*personal details removed*', p_support_uri => 'https://ol7-121.localdomain:8443/ords/pdb1/testuser1/support', p_privilege_names => 'emp_priv' ); COMMIT;END;/-- Display client details.COLUMN name FORMAT A20SELECT id, name, client_id, client_secretFROM user_ords_clients; ID NAME CLIENT_ID CLIENT_SECRET---------- -------------------- -------------------------------- -------------------------------- 10333 Emp Client gxqNSyxPbLUJhSj1yBe8qA.. E-_mKJBlOTfTdHc_zISniA..SQL>
Associate the client with the role that holds the correct privileges for the resources it needs to access.
BEGIN OAUTH.grant_client_role( p_client_name => 'Emp Client', p_role_name => 'emp_role' ); COMMIT;END;/-- Display client-role relationship.COLUMN client_name FORMAT A30COLUMN role_name FORMAT A20SELECT client_name, role_nameFROM user_ords_client_roles;CLIENT_NAME ROLE_NAME------------------------------ --------------------Emp Client emp_roleSQL>
We then attempt to request an authorization code. Notice we are using the CLIENT_ID from the USER_ORDS_CLIENTS view along with a unique string that will represent the state.
CLIENT_ID : gxqNSyxPbLUJhSj1yBe8qA..State : 3668D7A713E93372E0406A38A8C02171URL : https://ol7-121.localdomain:8443/ords/pdb1/testuser1/oauth/auth?response_type=code&client_id={client_id}&state={state}Access the following URL from a browser.
https://ol7-121.localdomain:8443/ords/pdb1/testuser1/oauth/auth?response_type=code&client_id=gxqNSyxPbLUJhSj1yBe8qA..&state=3668D7A713E93372E0406A38A8C02171
You are presented with a 401 message, which includes a "sign in" link. Click the link, sign in with the ORDS credentials you created ealier (emp_user) and you will be directed to an approval page. Click the "Approve" button, which will take you to the redirect page you specified for the client.
The redirect page we specified for the client doesn't really exist, but we can get the authorization code and state from the URL.
https://ol7-121.localdomain:8443/ords/pdb1/testuser1/redirect?code=FF-APuIMukuBlrver1XU2A..&state=3668D7A713E93372E0406A38A8C02171
The application should check the state string matches the one used in the initial call. We use the authorization code to retrieve the access token.
CLIENT_ID : gxqNSyxPbLUJhSj1yBe8qA..CLIENT_SECRET : E-_mKJBlOTfTdHc_zISniA..User : CLIENT_ID:CLIENT_SECRETData : grant_type=authorization_code&code={authorization-code}URL : https://ol7-121.localdomain:8443/ords/pdb1/testuser1/oauth/tokenThe following call retrieves the access token.
$ curl -i -k --user gxqNSyxPbLUJhSj1yBe8qA..:E-_mKJBlOTfTdHc_zISniA.. --data "grant_type=authorization_code&code=FF-APuIMukuBlrver1XU2A.." https://ol7-121.localdomain:8443/ords/pdb1/testuser1/oauth/tokenHTTP/1.1 200 OKServer: Apache-Coyote/1.1X-Frame-Options: SAMEORIGINContent-Type: application/jsonTransfer-Encoding: chunkedDate: Wed, 29 Jun 20*personal details removed*:38:52 GMT{"access_token":"cOYb2hFK_SyxOh8o9n6R7A..","token_type":"bearer","expires_in":3600,"refresh_token":"RC33rvSwAfhguraOWlvgfA.."}$We can now access the protected resource using the access token.
$ curl -i -k -H"Authorization: Bearer cOYb2hFK_SyxOh8o9n6R7A.." https://ol7-121.localdomain:8443/ords/pdb1/testuser1/testmodule1/emp/7788HTTP/1.1 200 OKServer: Apache-Coyote/1.1ETag: "jtC17IXyetESUjSkxB2ani/a1TnFh28yfor+fLmxxUzGr6G9IFxQ77+/Gd71W4Qzz0rSxf90Qqbl+ICwezTayQ=="Content-Type: application/jsonTransfer-Encoding: chunkedDate: Wed, 29 Jun 20*personal details removed*:40:34 GMT{"items":M{"empno":7788,"ename":"SCOTT","job":"ANALYST","mgr":7566,"hiredate":"19*personal details removed*T23:00:00Z","sal":3003,"comm":null,"deptno":20}],"hasMore":false,"limit":0,"offset":0,"count":1,"links"::{"rel":"self","href":"https://ol7-122.localdomain:8443/ords/pdb1/testuser1/testmodule1/emp/7788"},{"rel":"describedby","href":"https://ol7-122.localdomain:8443/ords/pdb1/testuser1/metadata-catalog/testmodule1/emp/item"}]}$ Can anyone please provide some insight ?
Kind regards,
Helgard Wagener
