uploading data into ibm connection with oAuth - ibm-sbt

We want Socialite (web-application name) user data to upload on IBM-Connections per user active stream.
It requires proper OAuth mechanism. To achieve this, we are working on OAuth to get OAuth Token and OAuth Secrete per IBM Connections user wise.
We created the AppID, Appkey and AppSecrete with the help of commands mention in IBM documents. http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.0+documentation#action=openDocument&res_title=Registering_an_OAuth_client_with_a_provider_ic40&content=pdcontent
Now we need requestTokenURL, authorizationURL, accessTokenURL to get the access token and access secret per IBM Connection user wise.
Please advise me.

The authorization URL should be
https://:/oauth2/endpoint/connectionsProvider/authorize
The access token URL should be
https://:/oauth2/endpoint/connectionsProvider/token

oAuth2.0 does't have the requestToken anymore. There are only to token uri's
for our test connections environment the endpoint are
https://connections4.e-office.com/oauth2/endpoint/connectionsProvider/authorize
https://connections4.e-office.com/oauth2/endpoint/connectionsProvider/token
More details you can find here, it's about smartcloud but you can find some good information
http://www-10.lotus.com/ldd/appdevwiki.nsf/xpViewTags.xsp?categoryFilter=OAuth%202.0

Related

How google OAuth sends JWT?

I am trying to understand how google OAuth works. I have implemented this oauth tutorial from spring docs. Below is the screen shot of network traffic occurred when I selected my account from the list of accounts shown by the google.
Resource 1
Resource 2
Resource 3
I guess OAuth works on JWT, and once username and password is correct, it should return JWT. However, I am not able to find JWT returned by google in above network traffic. Am I understanding it wrong?
OAuth2 may use JWT but it is not a requirement even though I believe (not sure on that one) that it would be used between Spring-security and Google.
However the communication is between the server and Google so you would not get the token in the front-end. If you get a token in your front-end it would most probably one generated from your own back-end.

Invalid session when trying to create a session in OKTA

Very new to okta flow, please bear with my ignorance.
I am doing a poc to access sharepoint from my external site and sharepoint is authenticated through OKTA. I want to start getting list view data from share point and expose it on my site.
1) What is the difference of authenticating using username / password flow (vs) using token to authenticate into OKTA?
Step 1: Auth in through username / password get the session token
Step 2 : After this I tried to create a session as per docs:
http://developer.okta.com/docs/api/resources/sessions.html#create-session-with-session-token
You're probably missing a valid Okta API token (cf. Getting a Token ) when calling the /api/v1/sessions endpoint. In any event, you should use the /api/v1/authn endpoint for authentication purposes and that one usually doesn't need an api token (unless you want to authenticate it from a trusted application).
The /api/v1/sessions API with the username/password payload is deprecated so you should shy away from using it in favor of the /api/v1/authn API.
I hope this helps!

Client secret + refreshing the access token in spring oauth2

I am using spring boot for backend and Android device for frontend of my system.
Right now I am facing the challenge to use Spring-OAuth2 to secure my resource server.
I have some questions, which I want to discuss with you:
My knowledge + this tutorial are saying that I should use the OAuth2.0 "password" grant type for my mobile app to obtain an access token. The official spring tutorial for security gives an example how to obtain the access token using password grant type:
$ curl client:secret#localhost:8080/oauth/token -d grant_type=password -d username=user -d password=pwd
And here comes my first question: Is there any possibility to obtain access token using the password grant type without sending the "client secret" ?
Since the client secret could be "reverse engineered" by decompiling the client app. The obtaining access token without secret should be somehow possible, because Facebook SDK for Android also does not need the client_secret in the mobile app.
I think here I have a little trouble understanding why the clientID + clientSecret needs to be included in the request above, because, since there are already username + password included, it should be possible to generate the access token, so does this brings a next level of security ? and does it implies the following (example): I am logged in as Filip in my Android client and I am sending the access token A with each request to the server. Then I log in as Filip into web client and I try to access the resource server from web client using the access token A, which is not possible because access token A was issued only for Android client ?
The next question is how can I refresh the obtained access token ?
I was trying to do so using the command below, but I got "Full authentication is required to access this resource." After I got the new refreshed token, can I use the refresh token to refresh my new access token again ?
curl -v --data "grant_type=refresh_token&client_id=acme&client_secret=acmesecret&refresh_token=REFRESH_TOKEN" http://localhost:9999/uaa/oauth/token
Thank you
The OAuth 2.0 spec allows for so-called public clients i.e. clients that don't authenticate themselves. So it is possible to use the Resource Owner Password Credentials grant with a public client, i.e. one that does not need to send a client secret. It does mean that the Authorization Server cannot assume anything about the client since a client_id is not a secret and there's no way to prevent a malicious client using this grant type or clients from impersonating each other. So using it in this way comes at the cost of reduced security although one may argue that in your case there's no way to use confidential clients anyhow, so there's no difference.
In general the Resource Owner Password Credentials grant is an anti-pattern for OAuth and only meant for migration purposes because it defeats most of the goals of OAuth in itself.
Access tokens are issued on a per-client basis.
You refresh token request seems OK but the Authorization Server may require basic authentication instead of providing the client_id/client_secret as post parameters, considering that you did the same for the original access token request.

OAuth2 with Spring MVC rest APIs

I am targetting to secure my REST APIs by custom OAuth Authorization server of my own (NOT google, facebook etc.) by using Resource Owner Password Credentials Grant. The user would pass the credentials over SSL and would get back the Access Token and Refresh token. I followed this tutorial - http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html
However, I have few questions -
1- Is it good approach at the first place.
2- User credentials in that tutorial are passed as query parameter.
It's not the advisable approach. How can I make it a POST request.
3- I want to store credential information in Database and implement
custom authentication by validating the username/password from DB.
(As opposed to the approach in above tutorial in which the
credentials are stored in the file)
Please provide your insight. Thanks!
1) IMHO , I think use Authorization grant instead of resource owner password grant. Which do the same , and more secure then the resource owner password grant.
2) I think you can follow this tutorial to make authentication from DB.

Spring Security to Validate login RestAPI

I know this question asked many times but I did not get answer that I required.
I want link that can help me to create a spring security framework, In which I donot whant login form validation.
It should be done by login RestAPI. I just hit url like-
http://localhost:8080/login
post request containing username and password and it return json response with sucess or failure status
if sucess I would be able to hit secure API Requests.
I am using spring and spring security since 1 and half year with spring security to develop rest API I use below technique for user authentication
Follow below steps
Allow to access http:// localhost:8080/login for all user
User will pass username and password in body
Authenticate user with database entry
create access token and send back to response
using this access token user with interact with secure API.
I will provide source code if you need.
I suggest you to try with Basic Authentication. I believe Rest services are mutual contract between the consumer and provider, so re design your service to access the basic auth header. Your client need to pass the base64 encoded value of username:password, Your service should get the header value and decode you will get the original data back, Check against your backend storage (Ldap or DB).
More about basic authentication . BasicAuthentication

Resources