Integration

Get Involved. Join the Conversation.

Topic

    Sharmistha Ghosh
    Is Oauth 2.0 supported by ICS ?
    Topic posted May 21, 2018 by Sharmistha GhoshRed Ribbon: 250+ Points, last edited June 1, 2018 
    340 Views, 22 Comments
    Title:
    Is Oauth 2.0 supported by ICS ?
    Summary:
    Is Oauth 2.0 supported by ICS ?
    Content:

    Hello Gurus -

    I'm trying to connect Concur using REST Adapter Connection,  but getting below error -

    Error Message :

    Unable to test connection "*********". [Cause: CASDK-0004]

    - CASDK-0004: Failed to authenticate against the application with the credentials provided

    - Cannot request OAuth access token.

    - POST https://**************/oauth2/v0/token returned a response status of 400 Bad Request

    I used below connection properties and Security to invoke the Concur application.

    Connection Role : Invoke

    Connection Properties

    Connection Type: REST API Base URL

    TLS Version: TLSv1

    Connection URL: https://<***************>/api/user/v1.0/users

    Security :

    Security Policy : OAuth Resource Owner Password Credentials

    Except Auth Request Media Type , All correct values are provided.

    Question : Is Oauth 2.0 supported by ICS ?

    Note: We aren't using Basic Authentication Consumer / Secret Keys. Concur Adapter won't be the option.

    Thanks in Advance.

    Regards,

    Sharmistha

    Comment

    • Hemanth Lakkaraju

      Here are the REST Adapter OAuth Support Capabilities and this explains parameters needed for OAuth ROPC

      
      

      - CASDK-0004: Failed to authenticate against the application with the credentials provided

      - Cannot request OAuth access token.

      Are you sure the credentials are correct as the error message suggests? Were you able to call the Access Token URI directly from Postman/SoapUI with provided credentials?

      
      

      Except Auth Request Media Type , All correct values are provided.

      What value did you give?

      Also can you see what is the exact error for 400 Bad Request in diagnostics logs - Concur would return an error code and description with reason for Bad Request.

    • Sharmistha Ghosh

      Hello Hemanth -

      Thanks for the response.

      pastedImage_3.png

      I checked the error log and found ICS is internally calling at oracle.cloud.security.oauth.client.util.OAuthUtil.getTwoLeggedOAuthAccessToken(OAuthUtil.java:1296) , whereas I selected the option Security Policy : OAuth Resource Owner Password Credentials.

      Questions:  Do we need to use Two legged authentication or Three legged authentication for OAuth 2.0 ?

      Error Snaps:

      <May 21, 2018 1:56:57 PM UTC> <Error> <oracle.ics.webconsole.connection> <ICS-10978> <Unable to test connection "CONCURRESTCALL".

      oracle.ics.webconsole.common.exception.GeneralException: ICS-10977: Unable to test the connection. Error code : oracle.ics.common.exception.NonICSRuntimeException: CASDK-0004: Failed to authenticate against the application with the credentials provided.

      at oracle.ics.webconsole.model.manager.AppConfigManager.testApplicationInstance(AppConfigManager.java:2126)

      at oracle.ics.webconsole.view.beans.AppConfigCreateResourceBean.testAppInstance(AppConfigCreateResourceBean.java:1442)

      at oracle.ics.webconsole.view.beans.AppConfigCreateBean.testAppInstance(AppConfigCreateBean.java:752)

      at oracle.ics.webconsole.view.beans.AppConfigCreateBean$HeaderPageTemplateBackingBean.customButton1Action(AppConfigCreateBean.java:1519)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      at java.lang.reflect.Method.invoke(Method.java:606)

      at com.sun.el.parser.AstValue.invoke(AstValue.java:254)

      at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:302)

      at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:46)

      at com.sun.faces.application.ActionListenerImpl.processAction(Unknown Source)

      at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190)

      at org.apache.myfaces.trinidad.component.UIXComponent.broadcastInContext(UIXComponent.java:364)

      ...........

      Caused By: oracle.ics.common.exception.NonICSRuntimeException: CASDK-0004: Failed to authenticate against the application with the credentials provided

      at oracle.ics.webconsole.model.manager.AppConfigManager.testApplicationInstance(AppConfigManager.java:2124)

      at oracle.ics.webconsole.view.beans.AppConfigCreateResourceBean.testAppInstance(AppConfigCreateResourceBean.java:1442)

      at oracle.ics.webconsole.view.beans.AppConfigCreateBean.testAppInstance(AppConfigCreateBean.java:752)

      at oracle.ics.webconsole.view.beans.AppConfigCreateBean$HeaderPageTemplateBackingBean.customButton1Action(AppConfigCreateBean.java:1519)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      at java.lang.reflect.Method.invoke(Method.java:606)

      at com.sun.el.parser.AstValue.invoke(AstValue.java:254)

      at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:302)

      at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:46)

      at com.sun.faces.application.ActionListenerImpl.processAction(Unknown Source)

      ...........

      Caused By: java.lang.IllegalStateException: Cannot request OAuth access token.

      at oracle.cloud.security.oauth.client.util.OAuthUtil.getTwoLeggedOAuthAccessToken(OAuthUtil.java:1296)

      at oracle.tip.tools.ide.adapters.rest.plugin.RestCloudConnection.testPing(RestCloudConnection.java:212)

      at oracle.tip.tools.ide.adapters.rest.plugin.RestCloudConnection.ping(RestCloudConnection.java:122)

      at oracle.ics.webconsole.model.manager.AppConfigManager.testApplicationInstance(AppConfigManager.java:2101)

      at oracle.ics.webconsole.view.beans.AppConfigCreateResourceBean.testAppInstance(AppConfigCreateResourceBean.java:1442)

      at oracle.ics.webconsole.view.beans.AppConfigCreateBean.testAppInstance(AppConfigCreateBean.java:752)

      at oracle.ics.webconsole.view.beans.AppConfigCreateBean$HeaderPageTemplateBackingBean.customButton1Action(AppConfigCreateBean.java:1519)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      at java.lang.reflect.Method.invoke(Method.java:606)

      at com.sun.el.parser.AstValue.invoke(AstValue.java:254)

      Regards,

      Sharmistha

    • Hemanth Lakkaraju

      As per https://developer.concur.com/api-reference/authentication/apidoc.html#password_grant

      Can you specify Request Auth media type as - application/x-www-form-urlencoded and see if it works?

    • Sharmistha Ghosh

      Request Auth media type is not mandatory field and the error received was not relate with Request Auth media type. But I tried and issue not resolved.

      Is there any documentation on OAuth Custom Three legged flow by Oracle ?

      except - https://docs.oracle.com/en/cloud/paas/integration-cloud-service/icsre/integrating-third-party-oauth-protected-rest-servi…

    • Ravi Sankaran

      Sharmistha,

      Can you provide pointers to the documentation on Concur REST API ? this would allow us to provide proper configuration details

      Ravi

    • Sharmistha Ghosh
    • Sharmistha Ghosh

      Hello Ravi-

      Issue resolved using OAuth Custom Two legged flow.

      I followed below Oracle and SAP link for establishing the connection between Concur and ICS.Oracle link - https://docs.oracle.com/en/cloud/paas/integration-cloud-service/icsre/integrating-third-party-oauth-protected-rest-service-oauth-custom-two-legged-flows.html

      SAP link-https://developer.concur.com/api-reference/authentication/apidoc.html

      But OAuth Custom Three legged flow ,still not working. I'm not sure what exact use of "Provide Consent" ?  Even though I provided , I got error like Http error code - 405 , method not found. whereas , I used POST command in Access Token Request and Refresh Token Request.

      Regards,

      Sharmistha

    • Ravi Sankaran

      Sharmistha,

      The fact you are able to get 2-legged custom oauth policy working means 3-legged oauth policy is not supported by Concur. 'Provide Consent' button will be enabled when 3-legged oauth policy is chosen - to allow the administrators to login to the 3rd party application and give consent for the ICS application to access data in the 3rd party application on your behalf

      it is a moot point in this situation

      Ravi

    • Sharmistha Ghosh

      Hi Ravi -

      pastedImage_0.png

      Can you confirm below -

      1. Do we need to register ICS username/password to concur end for establishing connection using OAuth three-legged custom flow?
      2. Does concur need to register redirect URI i.e. ICS Callback URI to OAuth server?

      Regards,
      Sharmistha

    • Hemanth Lakkaraju

      I'm not sure about Concur but atleast for other adapters like GMail, Twitter etc,

      1. No, not required.

      2. Yes, required.

    • Ravi Sankaran

      Sharmistha,

      Concur has revamped their OAuth authentication policy very recently.

      it looks like you are already able to get the 2-legged oauth working

      correct?

      ravi

    • Sharmistha Ghosh

      Thanks Hemanth.

    • Sharmistha Ghosh

      Yes , I already mentioned that Connection is successfully established using 2-legged OAuth. But wanted to do using 3-legged OAuth.

    • Amrita Chauhan

      Hi Sharmistha,

      Could you please let me know the process you followed to get the clientId and clientSecret for the OAuth?

      Thanks,

      Amrita

    • anish shah

      Hi Ravi Sankaran and  Hemanth Lakkaraju - When you create trigger type connection (SOAP/REST), OIC do not provide option to have security policy as OAuth so we cannot implement the same for trigger type connection. Do you know if this is a OIC product development issue ? or is there any workaround available ?? 

      Thanks

      Anish