Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- DevNet Hub
- DevNet Collaboration
- Collaboration Knowledge Base
- Add Gadget fails on Access Token Authentication
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
3996
Views
0
Helpful
0
Comments
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-25-2014 10:25 AM
This document was generated from CDN thread
Created by: Bain McKay on 30-12-2012 02:29:54 AM
I continue to have problems getting OAuth to work in the WXS 3.0 DEV Edition
Procedure used
1. in My View, I click "Add Application"
2. I select "OpenSocial App" Add
3. In the URL box, I enter: http://localhost/html/gadgets/OAuthWebExSocialGadgetExample.xml
* which is stored in ../opt/cisco/quad/tomcat/webapps/root/html/gadgets/
4. I get an {Authorize} button with descriptive text "This gadget demonstrates performing authorization against Quad using oAuth. Click the button below to authorize access to your Quad account for the gadget."
5. I click {Authorize} and a two-botton box appears: "OAuth User Authorization", which contains two buttons: {Authorize} and {Deny}.
6. I click {Authorize} and authorization fails, returning the following error text:
6.1 If I wait a few seconds before clicking {Authorize}, I get an HTML Box containing
* the title
** "http://localhost/quadopen/oauth/user_auth/postlogin", and
* in the box
"HTTP Status 401 - Not authorized type Status report
message Not authorized
description This request requires HTTP authentication (Not authorized).
Apache Tomcat/6.0.32"
6.1.1 I then get a {View Gadget} button, which displays the error:
"Error occurred!
Something went wrong: Service provider rejected request ==== Original request: GET /quadopen/api/rest/users/@me Host: localhost X-Shindig-AuthType: oauth Accept: application/json X-Forwarded-For: 0:0:0:0:0:0:0:1 X-shindig-dos: on ==== ==== Sent request 1: POST /quadopen/oauth/access_token Host: localhost X-Shindig-AuthType: none Authorization: OAuth oauth_token="bad9765f-1371-ba5a-0353-86436a644fe9", opensocial_owner_id="U-10261", opensocial_viewer_id="U-10261", opensocial_app_id="310001", opensocial_app_url="http%3A%2F%2Flocalhost%2Fhtml%2Fgadgets%2FOAuthWebExSocialGadgetExample.xml", oauth_version="1.0", oauth_timestamp="1356852673", oauth_nonce="8352642017651924103", oauth_consumer_key="f32e4320013ba3d97670fd8b05b3fefd57090641", oauth_signature_method="HMAC-SHA1", oauth_signature="%2BTzawA9M2jM2LMq18eS4rsPbecM%3D" Content-Type: application/x-www-form-urlencoded X-shindig-dos: on ==== Received response 1: HTTP/1.1 401 Connection: Keep-Alive Content-Length: 27 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Date: Sun, 30 Dec 2012 07:31:13 GMT Keep-Alive: timeout=300, max=4000 Server: Apache WWW-Authenticate: OAuth realm="http%3A%2F%2Flocalhost", oauth_problem="token_expired" oauth_problem=token_expired ===="
6.2 If I click {Authorize} immediately (rather than waiting as above), I get the error message in 6.1.1 only.
===
I have had this work, but it is inconsistent at best. I've been trying to work through adding Gadgets which call the Pop-up authorization for 3 days now. I'ts probably work 5% or the time at best.
At one point I could no longer add Gadgets or Remove them at all, so I restored the VM from the initial snapshot and started from a clean machine. From the clean machine I can once again add Gadgets as long as i don't have to Authenticate them.
TESTING WITH FIREFOX RESTAPI PLUGIN
When I use the FireFox RestAPI plugin to work through the Authentication screens, I am able to get the first two steps to work, but step three fails on invalid syntax. This perhaps provide a hint as to what I am doing wrong, or what is wrong with my environment. Here is the RestAPI API authentication procedure I am using:
1. Register an API consumer:
Method: POST
usl: http://localhost/api/quad/rest/management/apiconsumers
Content-type: application/json
Accept: application/json
Authorization: Basic signature inserted from the {Authentization} | {Basic} drop-down menu
{
"description": "Kayvium",
"name":"Kayvium",
"callbackUrl": "http://localhost/quadopen/gadgets/oauthcallback"
}
click {Send}
I get the following JSon model in Response preview:
{
"statusCode": 200,
"startIndex": 0,
"itemsPerPage": 1,
"totalResults": 1,
"filtered": false,
"sorted": false,
"entry": {
{
"data": {
"accessPermission": "",
"author": "10261",
"callbackUrl": "http://localhost/quadopen/gadgets/oauthcallback",
"consumerKey": "25db1f51fe26b8cbe84ce24f824a92e39ccf3483",
"consumerSecret": "3395615d305d016d2f9df7aed0749dcc9f1cd451",
"createDate": 1356854032797,
"description": "Kayvium",
"id": 410038,
"modifiedDate": 1356854032797,
"name": "Kayvium",
"resource": "http://quad.cisco.com/schema/1.0/apiconsumer",
"state": "active",
"type": null
}
}
},
"serverMessages": null
}
2. To get the request token, I leave the Method as "POST" and enter
url = http://localhost/quadopen/oauth/request_token
2.1 Then I click {Authorize} | {OAuth}
An OAuth pop-up is displayed with the Consumer Key and Secret. I leave Access Token and Access Token Secret blank and click {Insert}
2.2 Another pop-up asks if I want to refresh OAuth signature. It makes no difference to the results if I refresh or not.
The Authorization Header now contains the following:
OAuth oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_nonce="UN96DrC3gieJ1AF", oauth_timestamp="1356854229", oauth_consumer_key="f32e4320013ba3d97670fd8b05b3fefd57090641", oauth_signature="4AfVvI0blRtKutu5Aq6kgjQa0gM%3D"
2.3 I click {SEND}
2.3.1 The Response Header contains
"Status Code: 200 OK"
2.3.2 The Response Body (raw) contains
oauth_token=a6c6fda9-2303-a570-3260-b7e1a7204eb0&oauth_token_secret=342dd4e6bd94dc36a0c110c3ee6aeca9311a0ad8&oauth_callback_confirmed=true&xoauth_user_auth_url=http%3A%2F%2Flocalhost%2Fquadopen%2Foauth%2Fuser_auth%2F%3Foauth_token%3Da6c6fda9-2303-a570-3260-b7e1a7204eb0
. 3. Next, I change the Method to GET and enter url (with Signature as the Token) to:
http://localhost/quadopen/oauth/user_auth?oauth_token=<oauth_token 4AfVvI0blRtKutu5Aq6kgjQa0gM%3D>
3.1. I click {SEND} and get "Status Code: 400 Bad Request"
HTTP Status 400 - Authentication token not found type Status report
message Authentication token not found
description The request sent by the client was syntactically incorrect (Authentication token not found).
Apache Tomcat/6.0.32
4. I don't get to the final step, to get an access token and access token secret:
http://localhost/quadopen/oauth/access_token?oauth_verifier=<verifier from #3>
In step 3, there is no other token to add other than the Signature Token. I cannot see the syntax error, but perhaps I've been looking at this too long.
Any help or guidance would be appreciated. I have run out of options.
Bain
Subject: RE: Add Gadget fails on Access Token Authentication
Replied by: Bain McKay on 30-12-2012 10:03:44 AM
I reviewed the FireFox RESTAPI pluging procedure and discovered I missed a step in the properties file setup (see below). Now the RESTAPI test works up to Step 3. But step 3 now presents a UserName / Password challenge in the Response Header. Step 4 still does not work, but if I enter the UserName Password for the WXS logon user (test@your_company.com / cisco), step 3 then works. With that I proceeded to WXS, removed all the Open Social Gasgets, rebooted (to clear cache), added the "OAuthWebExSocialGadgetExample.xml" Gadget. I got the same issue as before. So while I got further in the RESTAPI test, adding WXS Open Social Gadgets that require user data access authorization (access token, access secret) still fails with authorization rejected.
The Screen that is failing, fails on this code:
<div id='quad-layout-container'>
<div class='quad-content'>
<fieldset class="block-labels">
<div class="ctrl-holder">
<label> Hi Test, <br><br>
The following application wants to access your account information: <br><b>Kayvium</b> is requesting access to your account to access your information.
<br>
<br>
Kayvium
</div>
</fieldset><form name="authZForm" action="/quadopen/oauth/user_auth/postlogin" method="POST">
<div class="button-container">
<input type="hidden" name="oauth_token" value="aeac8932-151e-0d22-cd7d-7232ab5c458d"/>
<input type="submit" class="primary" name="Authorize" value="Authorize" />
<input type="submit" name="Deny" value="Deny" />
</div>
...
I am unclear, in RESTAPI, if I need to proceed with the Verfication step (step 4). So there is possibly one more combination I didn't try in RESTAPI, but that does not affect WXS API failure, which fails to get the Kerberos shared secret User Access Token (Access Key, Access Secret).
...
A simple "Step-by-step" (no room for interpretation) CookBook would be helpful. There are a lot of steps, a lot of options, and a lot of pieces which, until you get used to the environment, can be interpreted and assembles in different ways. And, once figured out and implemented, when later on you come back to a system written in WXS, it will require a refresher on how all the pieces fit together. I undertand, conceptually, the PKI token exchange and Kerberos Shared-Secret combination (API Authorization, User Data Access Authorization). It's the unforgiving procedure - the series of steps that cause RESTAPI and WXS API to be brittle, which makes it difficult to get traction.
<strong style="color: #525252; font-family: arial, helvetica, sans-serif; font-size: 12px; line-height: 14.399999618530273px; text-decoration: underline;">portal-ext.properties EDIT
< sudo gedit portal-ext.properties
Search for the line "quadapi.auth.resourcesForBasicAuthentication = ROOT, management/apiconsumers"
change it to:
"quadapi.auth.resourcesForBasicAuthentication = ALL"
Save the file.
Subject: RE: Add Gadget fails on Access Token Authentication
Replied by: Bain McKay on 30-12-2012 10:14:11 AM
I let the authroization time out, while I was writing the previous post to this thread. When i want back to the screen, I noticed it said "Waiting for Authorization". Is is posslble that WXS is not invoking SSO, and is thus expecting me to enter a UserName / Password challenge? If so, the Gadget authrization prcoess provides no challenge-response screen? Do I need to modify the Approval screen to add Username/Password challenge input fields? Or, is is possible that the Dev VM does not support SSO because it doesn't support Active Diretory access?
Somwhere in all these combinations of trial and error, lies a very simple answer. Can anyone share with me the automated test cases for DEV VM which verify and validate that the above works, and what the specific set of steps are that have been tested, so I an get some traction and move on to implementing Producer and Consumer JSP Portlets in WXS.
Created by: Bain McKay on 30-12-2012 02:29:54 AM
I continue to have problems getting OAuth to work in the WXS 3.0 DEV Edition
Procedure used
1. in My View, I click "Add Application"
2. I select "OpenSocial App" Add
3. In the URL box, I enter: http://localhost/html/gadgets/OAuthWebExSocialGadgetExample.xml
* which is stored in ../opt/cisco/quad/tomcat/webapps/root/html/gadgets/
4. I get an {Authorize} button with descriptive text "This gadget demonstrates performing authorization against Quad using oAuth. Click the button below to authorize access to your Quad account for the gadget."
5. I click {Authorize} and a two-botton box appears: "OAuth User Authorization", which contains two buttons: {Authorize} and {Deny}.
6. I click {Authorize} and authorization fails, returning the following error text:
6.1 If I wait a few seconds before clicking {Authorize}, I get an HTML Box containing
* the title
** "http://localhost/quadopen/oauth/user_auth/postlogin", and
* in the box
"HTTP Status 401 - Not authorized type Status report
message Not authorized
description This request requires HTTP authentication (Not authorized).
Apache Tomcat/6.0.32"
6.1.1 I then get a {View Gadget} button, which displays the error:
"Error occurred!
Something went wrong: Service provider rejected request ==== Original request: GET /quadopen/api/rest/users/@me Host: localhost X-Shindig-AuthType: oauth Accept: application/json X-Forwarded-For: 0:0:0:0:0:0:0:1 X-shindig-dos: on ==== ==== Sent request 1: POST /quadopen/oauth/access_token Host: localhost X-Shindig-AuthType: none Authorization: OAuth oauth_token="bad9765f-1371-ba5a-0353-86436a644fe9", opensocial_owner_id="U-10261", opensocial_viewer_id="U-10261", opensocial_app_id="310001", opensocial_app_url="http%3A%2F%2Flocalhost%2Fhtml%2Fgadgets%2FOAuthWebExSocialGadgetExample.xml", oauth_version="1.0", oauth_timestamp="1356852673", oauth_nonce="8352642017651924103", oauth_consumer_key="f32e4320013ba3d97670fd8b05b3fefd57090641", oauth_signature_method="HMAC-SHA1", oauth_signature="%2BTzawA9M2jM2LMq18eS4rsPbecM%3D" Content-Type: application/x-www-form-urlencoded X-shindig-dos: on ==== Received response 1: HTTP/1.1 401 Connection: Keep-Alive Content-Length: 27 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Date: Sun, 30 Dec 2012 07:31:13 GMT Keep-Alive: timeout=300, max=4000 Server: Apache WWW-Authenticate: OAuth realm="http%3A%2F%2Flocalhost", oauth_problem="token_expired" oauth_problem=token_expired ===="
6.2 If I click {Authorize} immediately (rather than waiting as above), I get the error message in 6.1.1 only.
===
I have had this work, but it is inconsistent at best. I've been trying to work through adding Gadgets which call the Pop-up authorization for 3 days now. I'ts probably work 5% or the time at best.
At one point I could no longer add Gadgets or Remove them at all, so I restored the VM from the initial snapshot and started from a clean machine. From the clean machine I can once again add Gadgets as long as i don't have to Authenticate them.
TESTING WITH FIREFOX RESTAPI PLUGIN
When I use the FireFox RestAPI plugin to work through the Authentication screens, I am able to get the first two steps to work, but step three fails on invalid syntax. This perhaps provide a hint as to what I am doing wrong, or what is wrong with my environment. Here is the RestAPI API authentication procedure I am using:
1. Register an API consumer:
Method: POST
usl: http://localhost/api/quad/rest/management/apiconsumers
Content-type: application/json
Accept: application/json
Authorization: Basic signature inserted from the {Authentization} | {Basic} drop-down menu
{
"description": "Kayvium",
"name":"Kayvium",
"callbackUrl": "http://localhost/quadopen/gadgets/oauthcallback"
}
click {Send}
I get the following JSon model in Response preview:
{
"statusCode": 200,
"startIndex": 0,
"itemsPerPage": 1,
"totalResults": 1,
"filtered": false,
"sorted": false,
"entry": {
{
"data": {
"accessPermission": "",
"author": "10261",
"callbackUrl": "http://localhost/quadopen/gadgets/oauthcallback",
"consumerKey": "25db1f51fe26b8cbe84ce24f824a92e39ccf3483",
"consumerSecret": "3395615d305d016d2f9df7aed0749dcc9f1cd451",
"createDate": 1356854032797,
"description": "Kayvium",
"id": 410038,
"modifiedDate": 1356854032797,
"name": "Kayvium",
"resource": "http://quad.cisco.com/schema/1.0/apiconsumer",
"state": "active",
"type": null
}
}
},
"serverMessages": null
}
2. To get the request token, I leave the Method as "POST" and enter
url = http://localhost/quadopen/oauth/request_token
2.1 Then I click {Authorize} | {OAuth}
An OAuth pop-up is displayed with the Consumer Key and Secret. I leave Access Token and Access Token Secret blank and click {Insert}
2.2 Another pop-up asks if I want to refresh OAuth signature. It makes no difference to the results if I refresh or not.
The Authorization Header now contains the following:
OAuth oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_nonce="UN96DrC3gieJ1AF", oauth_timestamp="1356854229", oauth_consumer_key="f32e4320013ba3d97670fd8b05b3fefd57090641", oauth_signature="4AfVvI0blRtKutu5Aq6kgjQa0gM%3D"
2.3 I click {SEND}
2.3.1 The Response Header contains
"Status Code: 200 OK"
2.3.2 The Response Body (raw) contains
oauth_token=a6c6fda9-2303-a570-3260-b7e1a7204eb0&oauth_token_secret=342dd4e6bd94dc36a0c110c3ee6aeca9311a0ad8&oauth_callback_confirmed=true&xoauth_user_auth_url=http%3A%2F%2Flocalhost%2Fquadopen%2Foauth%2Fuser_auth%2F%3Foauth_token%3Da6c6fda9-2303-a570-3260-b7e1a7204eb0
. 3. Next, I change the Method to GET and enter url (with Signature as the Token) to:
http://localhost/quadopen/oauth/user_auth?oauth_token=<oauth_token 4AfVvI0blRtKutu5Aq6kgjQa0gM%3D>
3.1. I click {SEND} and get "Status Code: 400 Bad Request"
HTTP Status 400 - Authentication token not found type Status report
message Authentication token not found
description The request sent by the client was syntactically incorrect (Authentication token not found).
Apache Tomcat/6.0.32
4. I don't get to the final step, to get an access token and access token secret:
http://localhost/quadopen/oauth/access_token?oauth_verifier=<verifier from #3>
In step 3, there is no other token to add other than the Signature Token. I cannot see the syntax error, but perhaps I've been looking at this too long.
Any help or guidance would be appreciated. I have run out of options.
Bain
Subject: RE: Add Gadget fails on Access Token Authentication
Replied by: Bain McKay on 30-12-2012 10:03:44 AM
I reviewed the FireFox RESTAPI pluging procedure and discovered I missed a step in the properties file setup (see below). Now the RESTAPI test works up to Step 3. But step 3 now presents a UserName / Password challenge in the Response Header. Step 4 still does not work, but if I enter the UserName Password for the WXS logon user (test@your_company.com / cisco), step 3 then works. With that I proceeded to WXS, removed all the Open Social Gasgets, rebooted (to clear cache), added the "OAuthWebExSocialGadgetExample.xml" Gadget. I got the same issue as before. So while I got further in the RESTAPI test, adding WXS Open Social Gadgets that require user data access authorization (access token, access secret) still fails with authorization rejected.
The Screen that is failing, fails on this code:
<div id='quad-layout-container'>
<div class='quad-content'>
<fieldset class="block-labels">
<div class="ctrl-holder">
<label> Hi Test, <br><br>
The following application wants to access your account information: <br><b>Kayvium</b> is requesting access to your account to access your information.
<br>
<br>
Kayvium
</div>
</fieldset><form name="authZForm" action="/quadopen/oauth/user_auth/postlogin" method="POST">
<div class="button-container">
<input type="hidden" name="oauth_token" value="aeac8932-151e-0d22-cd7d-7232ab5c458d"/>
<input type="submit" class="primary" name="Authorize" value="Authorize" />
<input type="submit" name="Deny" value="Deny" />
</div>
...
I am unclear, in RESTAPI, if I need to proceed with the Verfication step (step 4). So there is possibly one more combination I didn't try in RESTAPI, but that does not affect WXS API failure, which fails to get the Kerberos shared secret User Access Token (Access Key, Access Secret).
...
A simple "Step-by-step" (no room for interpretation) CookBook would be helpful. There are a lot of steps, a lot of options, and a lot of pieces which, until you get used to the environment, can be interpreted and assembles in different ways. And, once figured out and implemented, when later on you come back to a system written in WXS, it will require a refresher on how all the pieces fit together. I undertand, conceptually, the PKI token exchange and Kerberos Shared-Secret combination (API Authorization, User Data Access Authorization). It's the unforgiving procedure - the series of steps that cause RESTAPI and WXS API to be brittle, which makes it difficult to get traction.
<strong style="color: #525252; font-family: arial, helvetica, sans-serif; font-size: 12px; line-height: 14.399999618530273px; text-decoration: underline;">portal-ext.properties EDIT
< sudo gedit portal-ext.properties
Search for the line "quadapi.auth.resourcesForBasicAuthentication = ROOT, management/apiconsumers"
change it to:
"quadapi.auth.resourcesForBasicAuthentication = ALL"
Save the file.
Subject: RE: Add Gadget fails on Access Token Authentication
Replied by: Bain McKay on 30-12-2012 10:14:11 AM
I let the authroization time out, while I was writing the previous post to this thread. When i want back to the screen, I noticed it said "Waiting for Authorization". Is is posslble that WXS is not invoking SSO, and is thus expecting me to enter a UserName / Password challenge? If so, the Gadget authrization prcoess provides no challenge-response screen? Do I need to modify the Approval screen to add Username/Password challenge input fields? Or, is is possible that the Dev VM does not support SSO because it doesn't support Active Diretory access?
Somwhere in all these combinations of trial and error, lies a very simple answer. Can anyone share with me the automated test cases for DEV VM which verify and validate that the above works, and what the specific set of steps are that have been tested, so I an get some traction and move on to implementing Producer and Consumer JSP Portlets in WXS.
Labels:
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
Customers Also Viewed These Support Documents