7 Replies Latest reply on May 29, 2015 10:17 AM by shawkins

    OAuth to REST service in embedded server

    jmeritt

      I am trying to access a REST service that uses OAuth from the embedded Teiid server.  All of the samples I have been able to find assume I am running in JBoss and can add a new provider through the standalone XML file that I later reference from my VDB.  In Embedded mode I don't have this option.  Any hints on where to look would be appreciated. 

      Thanks,

      Jaime

        • 1. Re: OAuth to REST service in embedded server
          rareddy

          Jamie,

           

          Follow directions here OAuth Authentication With REST Based Services - Teiid 8.11 (draft) - Project Documentation Editor however for creating the resource adapter you do not need to follow that what is described there rather use webservice connection creation but you would need to pass the same values.

           

          Ramesh..

          • 2. Re: OAuth to REST service in embedded server
            jmeritt

            Thanks Ramesh.  I have been able to get the OAusth20LoginModule configured and instantiated through JaaS and am manually creating the connection factory and configuring security type.  However, I can't figure out how to associate the Subject with the Connection when I execute a statement.  How do I set the security domain in embedded mode without having a resource adapter configuration file or any of the standalone-teiid.xml

             

            Thanks,

            Jaime

            • 3. Re: OAuth to REST service in embedded server
              shawkins

              You could look into using IronJacamar/Narayana with embedded to add JCA functionality.  You can see this in the examples - from the beta2 kit or in git https://github.com/teiid/teiid/blob/teiid-parent-8.11.0.Beta2/build/kits/embedded/examples/embedded-portfolio/src/org/teiid/example/EmbeddedHelper.java

               

              Otherwise, you can pick up the Teiid security-domain subject from the Teiid ExecutionContext, or you may need add your own JCA like logic to supply the Subject so that the handling in BasicManagedConnectionFactory / BasicManagedConnection / ConnectionContext is effective.

              • 4. Re: OAuth to REST service in embedded server
                jmeritt

                Thanks Steve

                 

                Decided to cheat a bit for the interim and manually create the Authorization header and supply it to the invokeHttp method.  This allows me to avoid some major surgery in exchange for a hack.  However, looks like I uncovered a bug in OAuth credential handling with Google APIs in the process (which I will hit no matter which way I do the security as far as I can tell).

                 

                It appears that the expiration time of a token is sent back from Google with a space prior to the number - which causes a NumberFormatException every time I call getAuthorizationHeader on the credential - see stack trace below.  I will likely submit a big to CXF to get this resolved but wanted to know if you guys want a tracking JIRA or anything for this as well? 

                 

                Thanks,
                Jaime

                 

                 

                 

                Exception in thread "main" java.lang.NumberFormatException: For input string: " 3600"

                  at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)

                  at java.lang.Long.parseLong(Long.java:578)

                  at java.lang.Long.valueOf(Long.java:803)

                  at org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils.fromMapToClientToken(OAuthClientUtils.java:308)

                  at org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils.getAccessToken(OAuthClientUtils.java:270)

                  at org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils.getAccessToken(OAuthClientUtils.java:208)

                  at org.teiid.jboss.oauth.OAuth20CredentialImpl.getAccessToken(OAuth20CredentialImpl.java:53)

                  at org.teiid.jboss.oauth.OAuth20CredentialImpl.getAuthorizationHeader(OAuth20CredentialImpl.java:40)

                  at com.datadirect.connectivity.google.App.main(App.java:47)

                • 5. Re: OAuth to REST service in embedded server
                  shawkins

                  It looks like they need better json parsing routines.  Looking at version 2.7.14, the source for org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider is doing the parsing to create the map where the invalid value comes from.  It appears the values are always trimmed, which doesn't quite match what you are seeing - are you using all 2.7.14 jars? But it should be trimming quoted string values prior to stripping the quotes and not after.  So I can't reproduce this with json using integer literals, but can with string literals:

                   

                  {"a" : 3600 , "b" : "3600" }

                   

                  "a" will be trimmed and can be converted to a long, but the "b" value won't have the quotes stripped and results in an exception.  So yes, please log something in CXF and a corresponding Teiid JIRA will help us better track when this gets addressed on our side.

                  1 of 1 people found this helpful
                  • 6. Re: OAuth to REST service in embedded server
                    jmeritt

                    Thanks Steven! 

                     

                    I was still using the 8.11.0.Beta1 build which referenced an older CXF (will upgrade to beta 2 tonight). After fixing my local version of OAuthClientUtils I then discovered the quote bug which you reference above.  Once I worked around that it does appear to be generating the token and my hack of passing the auth header manually is also working.

                     

                    Thanks for all the help!

                    Jaime

                    • 7. Re: OAuth to REST service in embedded server
                      shawkins

                      That's good news.  It also looks like newer version of CXF don't have the same issue - http://grepcode.com/file/repo1.maven.org/maven2/org.apache.cxf/cxf-rt-rs-security-oauth2/3.0.4/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java?av=f

                       

                      Let us know if there is anything that needs done for 8.11

                       

                      Thanks,

                      Steve