Digital Assistant and Mobile

Get Involved. Join the Conversation.

Topic

    Filip Huysmans
    MCS Connector to ORDS with OAuth2 security
    Topic posted October 3, 2018 by Filip HuysmansRed Ribbon: 250+ Points, tagged Mobile 
    147 Views, 6 Comments
    Title:
    MCS Connector to ORDS with OAuth2 security
    Summary:
    How to setup a connector security for a REST API from ORDS with OAuth2 security
    Content:

    Hi,

    I'm using Autonomous Mobile Cloud Enterprise 18.2.5.

    I've create REST API's with ORDS.  Without security my chatbot and MCS connectors are working correctly.

    Now I've protected the ORDS REST API's with OAuth2, with the client credentials flow.

    Using the following curl statements, I'm able to get the necessary services:

    • curl -i --user clientId:clientSecret --data "grant_type=client_credentials" https://<ords_oauth_uri>/
    • curl -i -H"Authorization: Bearer access_token" https://<ords_uri>/

    How do I implement this in my connector?

    According to the documentation, I need to use the following security policies:

    • oauth2_config_client_policy
    • http_oauth2_token_over_ssl_client_policy

    When I select them, I receive a very long list of items to fill in.

    What should I be filling in and in which item?

     

    Thanks.

    Version:
    18.2.5
    Image:

    Comment

     

    • Frank Nimphius

      Checking it for you.

       

      Frank

    • Frank Nimphius

      Here's what I got back from engineering. The following settings usually work with ORDS, so try those

      "oracle/http_oauth2_token_client_policy"
      "oauth2.client.csf.key" - "rest.client.credentials (clientId:clientSecret)"
              "federated.client.token" - "false"
              "subject.precedence" - "false"
      "audience.uri" - "NONE"
            "issuer.name" - identityDomain
      "user.tenant.name" - identityDomain
      "keystore.sig.csf.key" - "orakey"
      "oracle/oauth2_config_client_policy"
      "token.uri" - tokenUri (OAuth token authorization URI)
      "oauth2.client.csf.key" - "rest.client.credentials (clientId:clientSecret)"
       
      Frank
      • Filip Huysmans

        Thx Frank.

         

        Now I got these errors:

        HTTP/1.1 500 Internal Server Error
        Cache-Control: no-cache, no-store, must-revalidate
        X-ORACLE-DMS-ECID: 55928291-5cff-4704-b702-cc7b783e4533-001698d5
        Connection: keep-alive
        Pragma: no-cache
        Content-Length: 2084
        X-ORACLE-DMS-RID: 0:1
        oracle-mobile-runtime-version: 18.2.5
        Date: Fri, 12 Oct 2018 13:05:15 GMT
        Content-Type: application/json

        {
          "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
          "status": 500,
          "title": "Internal exception invoking Rest Connector.",
          "detail": "An unexpected exception occurred internal to the REST Connector. Review the exception and try calling the service again. If the exception occurs again, contact Oracle Support Services.",
          "o:ecid": "55928291-5cff-4704-b702-cc7b783e4533-001698d5, 0:1",
          "o:errorCode": "MOBILE-16202",
          "o:errorPath": "/mobile/tools/1.0/ui-tooling/endpoint/mobile/connector/GameMania_Connector",
          "o:errorDetails": [
            {
              "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
              "title": "oracle.cloud.mobile.core.security.wss.WssException",
              "detail": "oracle.wsm.security.SecurityException: WSM-00399 :  OAuth2 request sent to OAuth2 server failed with Message :  \"General SSLEngine problem\". Please check OAuth2 server logs for more details.",
              "o:errorDetails": [
                {
                  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
                  "title": "oracle.wsm.security.SecurityException",
                  "detail": "WSM-00399 :  OAuth2 request sent to OAuth2 server failed with Message :  \"General SSLEngine problem\". Please check OAuth2 server logs for more details.",
                  "o:errorDetails": [
                    {
                      "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
                      "title": "javax.net.ssl.SSLHandshakeException",
                      "detail": "General SSLEngine problem",
                      "o:errorDetails": [
                        {
                          "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
                          "title": "javax.net.ssl.SSLHandshakeException",
                          "detail": "General SSLEngine problem",
                          "o:errorDetails": [
                            {
                              "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
                              "title": "sun.security.validator.ValidatorException",
                              "detail": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
                              "o:errorDetails": [
                                {
                                  "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
                                  "title": "sun.security.provider.certpath.SunCertPathBuilderException",
                                  "detail": "unable to find valid certification path to requested target"
                                }
                              ]
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ]
            }
          ]
        }
        

        The SSL certificate was uploaded into the system.

        Any idea's?

        Thx

        Filip

    • Abhishek Singh

      For me scenario is same.

      To get the access token:

      curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer <app_secret_key>" -d "grant_type=client_credentials" https://ccadmin.dfsdsdfsdfsdfsdfd.com/ccadmin/v1/login

      To get the response:

      curl -X GET -H "Authorization: Bearer <access_token_received_from_above_step>" https://ccadmin.dfsdsdfsdfsdfsdfd.com/ccstore/v1/products

       

      I am not able to figure out what policy to choose for and value to these policy sub-fields.

      Error i am getting is

      {
        "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
        "status": 500,
        "title": "Internal exception invoking Rest Connector.",
        "detail": "An unexpected exception occurred internal to the REST Connector. Review the exception and try calling the service again. If the exception occurs again, contact Oracle Support Services.",
        "o:ecid": "bceef410-ce73-47f7-aac8-cf0da14712ca-00032a15, 0:6",
        "o:errorCode": "MOBILE-16202",
        "o:errorPath": "/mobile/tools/1.0/ui-tooling/endpoint/mobile/connector/productlist",
        "o:errorDetails": [
          {
            "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
            "title": "oracle.cloud.mobile.core.security.wss.WssException",
            "detail": "oracle.wsm.security.SecurityException: WSM-00398 : The OAuth2 policy configuration property token-uri has an invalid value of \"http://host:port/tokens\". The value must point to a valid Oauth token endpoint and should be specified in the form \"http(s)://host:port/tokens\"; it should not be a null or empty string.",
            "o:errorDetails": [
              {
                "type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1",
                "title": "oracle.wsm.security.SecurityException",
                "detail": "WSM-00398 : The OAuth2 policy configuration property token-uri has an invalid value of \"http://host:port/tokens\". The value must point to a valid Oauth token endpoint and should be specified in the form \"http(s)://host:port/tokens\"; it should not be a null or empty string."
              }
            ]
          }
        ]
      }
      
    • Frank Nimphius

      Hi,

      unfortunately I don't know and I don't have the option and time yet to test this myself. So if this is something blocking you then I suggest to pass this to support. Happy to check back on this when I've more time at hand after OOW. I know though that in the past there have been issues with ORDS, however, I am not sure if this still is true. Would take me some time to research - tie I don't have until after OOW

      @Abishek yours appears to be different as you lack a valid token-uri

      Frank

    • Filip Huysmans

      No problem Frank.

       

      I got it working through custom nodejs code.  Perhaps we can take this up later, with another opportunity.

       

      Thx for your time.

       

      Filip