OpenAM oAuth 2.0 authentication for web project

This topic contains 20 replies, has 5 voices, and was last updated by  Kavithak 1 month ago.

  • Author
    Posts
  • #13290
     manasvi 
    Participant

    Hi,
    I am quite new to OpenAM, so I am having some problem to integrate oAuth authentication with my Django project. Please help.

    First I tried to authenticate with datastore by adding users in the subjects, and was able to authenticate the user by using REST APIs for the same.

    But what I wanted to achieve was to authenticate using oAuth 2.0 (which I used in my Django project – reference). So I created a new module instance for oAuth 2 and filled the client id and secret and added authentication endpoint and access_token endpoint to the URL where Django server is hosted (i.e. localhost:8000/o/token/).
    But this didn’t work as per what I expected. Can anyone please show me the correct way and help me solve the problem.

    Thanks

    #13293
     Rogerio Rondini 
    Participant

    Hi,

    So.. Could you be more clear on what you expect, what did not work and if you got some error… etc… ?

    #13294
     manasvi 
    Participant

    Hi,

    Thanks for replying. I have following queries:

    1. While specifying Authentication Endpoint URL in my module instance, openam hits a get request. Can’t I directly hit a post request?

    2. I somehow bypassed it by creating a url on my django project and by accepting user credentials on this page I hit the login API and redirect it to the redirect_uri specified in OpenAM module instance i.e. http://openam.example.com:8080/openam/oauth2c/OAuthProxy.jsp. But the page here shows “Request Not Valid”
    And this gets logged into the logfile. I checked for answers related to this problem and found that there is no SampleAuth.xml. What can be the reason for this?

    Log entry:

    “2016-09-27 17:24:26” “Login Failed|module_instance|djangoauth” “Not Available” “Not Available” 127.0.0.1 INFO dc=example,dc=com “cn=dsameuser,ou=DSAME Users,dc=example,dc=com” AUTHENTICATION-268 djangoauth “Not Available” 127.0.0.1

    Thanks

    #13302
     Rogerio Rondini 
    Participant

    So..

    AUTHENTICATION-268 error is documented as “Module is not registered/configured under realm or Incorrect/invalid credentials presented or User locked out/not active”. I think you should enable Debug log in OpenAM.

    #13314
     manasvi 
    Participant

    Hi,

    I already checked this error here But I am not understanding why it is failing. I have configured module instance (with Create account if it does not exist as enabled) and also included in authentication chaining (below datastore with sufficient criteria) and the credentials provided for login are also correct. Regarding 3rd point, since the User is new (i.e. it does not exists in OpenAM datastore) I expect it to get save in the datastore. But this does not happen. Did I do anything wrong? Please help.

    PS. I also changed the log mode to debug. But there is nothing, I could make out of it:

    “2016-09-28 00:02:52” /usr/share/tomcat7/openam/openam/log/ “cn=dsameuser,ou=DSAME Users,dc=example,dc=com” 81c86a0fc24c94ef01 “Not Available” INFO dc=example,dc=com “cn=dsameuser,ou=DSAME Users,dc=example,dc=com” LOG-1 amAuthentication.error “Not Available” 127.0.1.1
    “2016-09-28 00:02:52” “Login Failed|module_instance|djangoauth” “Not Available” “Not Available” 127.0.0.1 INFO dc=example,dc=com “cn=dsameuser,ou=DSAME Users,dc=example,dc=com” AUTHENTICATION-268 djangoauth “Not Available” 127.0.0.1

    Thanks

    • This reply was modified 2 years, 8 months ago by  manasvi.
    • This reply was modified 2 years, 8 months ago by  manasvi.
    #13344
     manasvi 
    Participant

    Hi,

    The main problem I am facing is that I am not able to understand functionality of the redirect proxy url http://openam.example.com:8080/openam/oauth2c/OAuthProxy.jsp.

    What this file does and what are the parameters one needs to pass for this to work. Sometimes I get error “Request Not Valid” and other times it returns an HTML page of “Authentication failed”. Please explain.

    Thanks

    #13416

    Hello,

    From my understanding, the OAuthProxy.jsp file is used to continue the authentication process when you are redirected from the IDP (your django server in your case).

    I also encountered the “Request Not Valid” error. Make sure that the “Prompt for password setting and activation code” field is unchecked inside the OAuth2 / OpenID Connect authentication module (there is a bugster on this but I could not find it).

    Vincent

    #13438
     manasvi 
    Participant

    Thanks for replying Vincent,

    I have already unchecked “Prompt for password setting and activation code” but it is still not working. What is “OpenID Connect authentication module” I am using only OpenAM and openDJ. Do I need to install OpenID for this to work?

    #13559
     Peter Major 
    Moderator

    The authentication module is called OAuth2 / OpenID Connect authentication module, it should allow authentication with both technologies. So what sort of error message are you getting now?

    #13646
     manasvi 
    Participant

    @peter-major

    I am now working on OpenAM v13.0 and able to authenticate via Facebook, but for my third party login APIs I get Authentication Error when I try to hit http://openam.example.com:8080/openam/XUI/#login/&module=my-auth. And in the debug, I get this error:

    Although I have properly configured my end point URLs.

    amAuth:10/12/2016 01:14:02:099 PM IST: Thread[http-bio-8080-exec-2,5,main]: TransactionId[cbf91dac-c78f-4941-8702-a492e2cc0ff2-223]
    ERROR: The crypto context value string, null is not in valid URL format: java.net.MalformedURLException
    java.net.MalformedURLException

    Thanks

    • This reply was modified 2 years, 8 months ago by  manasvi.
    #13679
     manasvi 
    Participant

    Here is the error when I enabled debug.

    Error while retrieving SSOToken for login failure: Authentication Error!!|auth_error_template.jsp

    errorCod=’102′, resProperty=’Authentication Error!!|auth_error_template.jsp’

    Error Message : Authentication Error!!

    @peter-major @rarondini @vincent-mirzaiansolucom-fr any help would be appreciated.

    #13688
     manasvi 
    Participant

    Hi,

    So, I was able to solve the above issue for my third party Authentication, but another hurdle comes.

    When I get the login page of my third party Authentication, I enter my details and login. It runs successfully.

    But then OpenAM runs internal APIs which is throwing 401 unauthenticated. Here are the things that is causing error:

    1. http://openam.example.com:8080/openam/XUI/locales/en-US/translation.json?v=13.0.0 is 404 not found. What to do with this?

    2. http://openam.example.com:8080/openam/json/authenticate?realm=/ is 401 Unauthorized. But when I hit the same API with same parameters through curl request I get proper response.

    3. http://openam.example.com:8080/openam/json/serverinfo/version is 403 Forbidden

    In logs, I get “errorCod=’107′, resProperty=’Authentication Failed|login_failed_template.jsp”

    Please help.

    #13689

    There is an important point I missed from your previous message.

    You want to use Facebook as your third party authentication. I am not sure, but I do not think that Facebook implements pure OAuth2/OpenID Connect protocol. I think you will need to use social login feature from OpenAM :
    https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#configure-social-authn

    #13690
     manasvi 
    Participant

    @vincent-mirzaiansolucom-fr this is not Facebook authentication but oAuth authentication with my Django project (which uses django-oauth2)

    #13691

    Oh sorry I misread your previous message when you mentioned Facebook authentication.

    1. http://openam.example.com:8080/openam/XUI/locales/en-US/translation.json?v=13.0.0 is 404 not found : This is a just a file used for localizing the UI, there is no impact if this file is missing.

    2. http://openam.example.com:8080/openam/json/authenticate?realm=/ is 401 Unauthorized: This is because the authentication process did not create a session cookie (iPlanetDirectoryPro cookie). Therefore /json/authenticate endpoint (which checks the validity of the OpenAM session cookie) return 401 Unauthorized.

    After authenticating on your django server, to which openam url are you redirected to ? You should be redirected to the /OAuth2Proxy.jsp URI.

Viewing 15 posts - 1 through 15 (of 21 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?