Yuri Shteinman   •   about 10 years ago

Q. What is the page to authenticate the customer and receive authentication token?

When I registered my app I got that data custodian authentication page is
https://greenbutton.affsys.com/a3p/api/v1/Custodian/1/Auth
When I navigate there to authenticate user from my third party app I get an error. What is the page to authenticate the customer and receive authentication token. If I do it from the portal it works but obviously I cannot see the communication between the portal and data custodian to see what URI is used.

• 114 comments
• 

  Yuri Shteinman   •   about 10 years ago

  To be more specific what are:
  1. Authentication Uri
  2. Token Uri (if different from Authentication)

• 

  Yuri Shteinman   •   about 10 years ago

  I see in Audit that requests are going to /ldc/api/v1/.. I don't see anywhere in the document "ldc".
  Can you please provide urls as it suppose to be in the data custodian profile such as
  {DC_REgistration_URI}
  {DC_Revocation_URI}
  {DC_Authorization_Endpoint}
  DC_Token_Endpoint}
  DC_Revoke_Endpoint}
  DC_ReadService_Endpoint}
  DC_ReadAuthorization_Endpoint}
  DC_Subscription_Endpoint}
  DC_Usage_Endpoint}

  so we don't have to guess. The wadl seems not to match what is in test lab.

• 

  Yuri Shteinman   •   about 10 years ago

  Please!!! Somebody reply with URLs.

• 

  Lindsay Archibald Manager   •   about 10 years ago

  Firstly, what you have to perform is an HTTP redirect to the following URL (the customer will be prompted with the DC login page):

  https://greenbutton.affsys.com/auth/signin.jsp?client_id=id-85ffaf0a-777c-4af9-9061-e2bc221941c2&redirect_uri=https%3A%2F%2Fgreenbutton.affsys.com%2Fa3p%2Fmvc%2Fappsetup&state=0%2Fa7fcb34d-271f-4910-a886-2ad617021cfe

  Please, replace the client_id with the one you have obtained during the registration process and, the correct redirect_uri pointing to your app/site.

  If the customer successfully sign in, the data custodian will redirect back to your app with an "access_code". Next, you will have to exchange the "access_code" for a real "Access Token". In order to do that, you will have to parse two parameters from the URL (the URL that you have received during the redirection):

  * code
  * State

  Example: https://greenbutton.affsys.com/a3p/mvc/appsetup?code=eyJhbGciOiJSUzI1NiJ9.NTVkYTU0NTYtODlkMC00MTI5LTg1ODYtODhiZGM2ZmI1MWU2MTM3ODYwNTUyNjgyNg.aLCInGlOjXabanfGNAGsxo51d0E4gZ94cRUUn5vWTWnqn2XLYSL58WCSXPHfnDUkCEiJW811LIM1rqViVKtyJ7o6PCH9wr8dRabFeL3HKOQ_f2U99dYL0tBvo7spOH3FWGCiG8Tm2ozOXIVPW0MA5DeWNRfLU5k5UzwqhQsKsx8&state=0%2F6ea50d35-7180-4c44-bbcd-4ce63da67c0a

  Finally, make an HTTP POST request to:

  https://greenbutton.affsys.com/auth/j_oauth_resolve_access_code

  Adding the following FORM parameters:

  * grant_type: "authorization_code"
  * code: "the code you got above"
  * redirect_uri:"uri where you will receive the access token"

  Add the following header:

  * Authorization: Basic "encode base 64 your client_id:client_secret"

  *************************

  Please Note: Expiration is disabled so, the token will live as long as someone revokes
  it (customer / vendor / data custodian).

• 

  WesleyPattison   •   about 10 years ago

  This is very informative. Thank you.

• 

  Yuri Shteinman   •   about 10 years ago

  I am sending the post as shown below and get and error
  {"error":"invalid_grant","error_description":"Auth error"}
  I included Basic in my headers, What I am doing wrong?
  The code I am getting from previous step as you described.

  https://greenbutton.affsys.com/auth/j_oauth_resolve_access_code?client_id=id-90884a31-fc6d-4bcf-82a7-51bcb23f59ed&grand_type=authorization_code&code=eyJhbGciOiJSUzI1NiJ9.OTQ3NTlkMmMtOTM1MC00NWYzLWFmNmEtNTYwMTU5YjM5OGJlMTM4MTk1NDU4NjIxNQ.ElRDvlGnGojeeTKrgXCc_KZDXU5ryav2QUHeS6qe8ShtK6ZBeJBE-Ce3gv6EnPQfJvmJGu8p-m0kuSnjthrV_BlZM8WuKsFxOzNBo_U2EnHkH1-yqm8vuv6gpJAhuouwiYrNJpVsuJG2jd-mXob86x4odHZskUa_021i3UNHGkU&redirect_uri=http://myuri

• 

  Yuri Shteinman   •   about 10 years ago

  I think grand_type should be grant_type but it didn't help

• 

  gellis519   •   about 10 years ago

  Yes there is a typo above as "grand_type" should actually be "grant_type".

• 

  Yuri Shteinman   •   about 10 years ago

  but it still doesn't work :-(

• 

  gellis519   •   about 10 years ago

  I assume all parameter values are correct. Referring to section 5.2.2.2 of the Reference Architecture document, only the client_secret should be encoded in the Authorization header. Is that true in your case?

• 

  Yuri Shteinman   •   about 10 years ago

  No, because I changed that when Wesley replied above. If I encode only secret I get 401 Unauthorize error

  POST https://greenbutton.affsys.com/auth/j_oauth_resolve_access_code?client_id=id-90884a31-fc6d-4bcf-82a7-51bcb23f59ed&grant_type=authorization%20code&code=eyJhbGciOiJSUzI1NiJ9.YTU1YTczODItMDVkZi00MjU2LWE4NzItYjRkNzM2NWI0ZWNkMTM4MTk1NzI0NzA4MA.EfIEcW0vX4o_s0hmxsg0mJXcAG1suAirPsHoiN858dlLMTYdR-q1QIDCM9jkInh6myQEzkWyPtoNTiuzMxmCvMcwk5qIIkzEqXumhY9eVZ4SRWKaAFEibDIDD2zb8ztW2lNPsuFeRZB6pdFaS5bTrDqgvbZIrqVl5Ffmt2j9ZYU&redirect_uri=http://www.google.com HTTP/1.1
  Authorization: Basic c2VjcmV0LThkMGU0NjQ5LTEzNTItNDgxNS05M2MzLTBiZWUwNjNkODljOQ==
  Content-Type: application/atom+xml
  Host: greenbutton.affsys.com
  Connection: Keep-Alive

  //////////////////////////////////////////////
  HTTP/1.1 401 Unauthorized
  Server: Apache-Coyote/1.1
  WWW-Authenticate: Basic realm="null"
  Content-Type: text/html;charset=utf-8
  Content-Length: 958
  Date: Wed, 16 Oct 2013 21:00:47 GMT

  JBoss Web/7.0.13.Final - Error report<!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--> HTTP Status 401 - type Status reportmessage description This request requires HTTP authentication (). JBoss Web/7.0.13.Final

• 

  gellis519   •   about 10 years ago

  I just noticed you have an underscore in "authorization_code". The Reference Architecture document indicates grant_type should be the string "authorization code" i.e. no underscore.

• 

  Yuri Shteinman   •   about 10 years ago

  I noticed it too and tried it without underscore. The same result

• 

  gellis519   •   about 10 years ago

  When you say "same result" are you referring to the "invalid_grant" error?

• 

  Yuri Shteinman   •   about 10 years ago

  Yes, I returned back to client_id and client_secret in the header to get rid of 401 code and now I am back to invalid_grant

• 

  Yuri Shteinman   •   about 10 years ago

  If I repeat first step from browser, just copy what's in "example" above and change my clientId I receive on your page "An error occurred while loading application setup. Please try again later." despite that it does return code. So I think something is missing in first step may be?

• 

  Yuri Shteinman   •   about 10 years ago

  Is state mandatory in your app?

• 

  Yuri Shteinman   •   about 10 years ago

  It seems that State has very critical effect on the process. If I change it then the process doesn't work, How it is generated?

• 

  gellis519   •   about 10 years ago

  The OAuth 2.0 specification states the following for the "invalid_grant" error return:

  "The provided authorization grant (e.g., authorization
  code, resource owner credentials) is
  invalid, expired, revoked, does not match the redirection
  URI used in the authorization request, or was issued to
  another client."

  That would tend to point to an issue with either the code provided, your client_id / client_secret, or perhaps the rediect_uri (i.e. does it match what was originally povided?).

  Also, although the Reference Architecture does indicate "authorization code", OAuth 2.0 does actually state "authorization_code" as the value for grant_type.

• 

  Yuri Shteinman   •   about 10 years ago

  The problem was redirect_uri.
  Then we have a big problem in documentation 5.2.2.2 Create Access Token request. It should say that redirect_uri should match original redirect_uri of authorization request. Currently redirect_uri even is not mentioned in that section.

  BTW, another problem that it says to include in the header client_secret and should say client_id and secret

• 

  gellis519   •   about 10 years ago

  Yes thank you. We have made not of this.

• 

  gellis519   •   about 10 years ago

  Sorry, the previous post should say "note of this".

• 

  Dan Zrobok   •   about 10 years ago

  Is the OAUTH service working? I can only seem to get HTTP 200 OKs from the service regardless of what kind of requests I make to it (valid/invalid).

  https://greenbutton.affsys.com/auth/j_oauth_resolve_access_code

  Before, for bad requests, I used to get invalid_grant etc as above. Now I get nothing but 200 OK.

• 

  Yuri Shteinman   •   about 10 years ago

  It is working

• 

  Yuri Shteinman   •   about 10 years ago

  grant_type - "authorization_code" note underscore between auth and code

Comments are closed.