3rdPartyApplication Support #10643

Regional Data Collection Application Registration

Added by Konstantinos Apostolopoulos almost 2 years ago. Updated over 1 year ago.

Status:AuthorisedStart date:Dec 11, 2017
Priority:NormalDue date:
Assignee:Konstantinos Apostolopoulos% Done:

100%

Authorized Redirect URLs:

https://dl016.madgik.di.uoa.gr:8443/rdc/#/dataCollections
https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections

LogoURL:https://dl016.madgik.di.uoa.gr:8443/rdc/assets/images/logo.png
Milestones:
Duration:

Description

We would like to register the Regional Data Collection Application as a 3rd party application.

Application Name: Regional Data Collection

Is there any REST endpoint that can be called, instead of the OAuth one, that receives the username and password as parameters and returns the token upon successful login?

oauth.png (50.1 KB) Konstantinos Apostolopoulos, Jan 15, 2018 06:11 PM

RegionalDataCollection.png (108 KB) Costantino Perciante, Jan 31, 2018 10:23 AM

2066
2125

History

#1 Updated by Massimiliano Assante almost 2 years ago

  • Status changed from New to In Progress

Hello Konstantinos,
i'm not sure I get your question. The purpose of creating a 3rd Party application is for letting your application to be used by D4Science users. So your app (actually https://dl016.madgik.di.uoa.gr:8443/rdc/#/dataCollections will receive the user token who authorised on D4Science).

Is this what you need to do? If so what do you mean by "Is there any REST endpoint that can be called, instead of the OAuth one"

#2 Updated by Konstantinos Apostolopoulos almost 2 years ago

Hello Massimiliano,
yes this is what we need.

We were just wondering if there were an alternative authentication service to avoid any possible problems caused by the necessary redirects that come with the OAuth2 protocol.
Our application is an Angular one running inside Office Excel as an add-in.

We will proceed with the OAuth2 protocol and the redirecting, but it would be more convenient if there were some other endpoint that would not demand redirects.

#3 Updated by Massimiliano Assante almost 2 years ago

Hi Konstantinos,
the logo you provided is of the BlueBRIDGE Project, you should provide us with the specific one for the Regional Data Collection Application. For the time being we are going to use the one provided. I'm going to share with you the required credentials you should use for oAuth2

#4 Updated by Massimiliano Assante almost 2 years ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Authorised

Dear Konstantinos,
your application has been authorised, please find the client id and client secret in the workspace at this URL (Only you and Panagiota can access it): https://goo.gl/TfjRQ8

#5 Updated by Konstantinos Apostolopoulos almost 2 years ago

Dear Massimiliano,
we would like some additional information regarding the authentication workflow.

Based on the instructions presented in https://wiki.gcube-system.org/gcube/OAuth2.0 ,
the first step should be to retrieve the authorization endpoint location.

Should we call the registry service REST-API?
What kind of credentials are required this service?

Would it be safe to call the OAuth endpoint provided in the example in OAth wiki? (https://next.d4science.org/group/next/authorization)

Thank you in advance for your help,
Konstantinos

#6 Updated by Massimiliano Assante almost 2 years ago

Excellent question, i think the first step should be more clear as you're not the first asking this. It is quite safe for you to use the BlueBRIDGE production (the one in the doc is for dev) endpoint that would be:

https://bluebridge.d4science.org/group/bluebridge-gateway/authorization

So now you can go directly to perform an HTTP GET with the parameters indicated in "Invoking the authorization service": https://wiki.gcube-system.org/gcube/OAuth2.0#Invoking_the_authorization_service

#7 Updated by Konstantinos Apostolopoulos almost 2 years ago

And on the next step, using the code retrieved from the first request, we have to make an HTTP POST request on https://socialnetworking1.d4science.org/social-networking-library-ws/rest .
Is that correct?

Doing that we have come across some problems. We either get a CORS error or an authentication error.

Could we also have some more information on this request?
Does it need a "gcube-token" header for authentication?
"Content-Type" header should only be of type application/x-www-form-urlencoded, or is application/json also allowed?

Thanks,
Konstantinos

#8 Updated by Massimiliano Assante almost 2 years ago

Hello Konstantinos,
the next step would be:

Step 3 - Exchange Authorization Code for an Access Token

You need to make a POST to the gcube-oauth service, in the production environment its current value is https://socialnetworking1.d4science.org/gcube-oauth/v2/access-token

In the header part you would put:

httpPostRequest.addHeader("Content-Type", "application/x-www-form-urlencoded");
httpPostRequest.addHeader("gcube-token", client_secret);

in the entity part you would put:

List<NameValuePair> params = new ArrayList<NameValuePair>();
                params.add(new BasicNameValuePair("grant_type", "authorization_code"));
                params.add(new BasicNameValuePair("code", $YOUR_TEMP_CODE)); <--YOUR_TEMP_CODE is the authorization code you received from the previous step
                params.add(new BasicNameValuePair("redirect_uri", "https://www.gcube-system.org/oauth-authentication-example/example-app"));  <-- The authorised redirect URI in your case 
                params.add(new BasicNameValuePair("client_id", $YOUR_CLIEND_ID));
                params.add(new BasicNameValuePair("client_secret", $YOUR_CLIEND_SECRET));
                httpPostRequest.setEntity(new UrlEncodedFormEntity(params));

Hope it is more clear, please do not hesitate to contact me for further information

#9 Updated by Massimiliano Assante almost 2 years ago

I've also added in the documentation a cose snippet that could be useful to you and more explaining perhaps.

See HTTP POST Example in JAVA in Step 3

#10 Updated by Konstantinos Apostolopoulos almost 2 years ago

  • File oauth.png added

When I make a request with the parameters you suggested above (with my values for code, redirect_uri, client_id and client_secret)
on Postman I get a HTTP 400 error code with response
{
"error": "invalid_grant",
"error_description": null
}

I should note that the code should be valid, as I made the request in less that 10 seconds after I received the code from the previous step.

Do you have any idea what could be the problem?
I attach a screenshot of the request in Postman.

oauth.png

#11 Updated by Konstantinos Apostolopoulos almost 2 years ago

  • File deleted (oauth.png)

#13 Updated by Massimiliano Assante almost 2 years ago

I added @costantino.perciante@isti.cnr.it who developed the service to see what is that error about. What I also did is to create a sample application that does all the "round" with the credentials I provided to you for your service and it seems working fine:

see https://www.gcube-system.org/oauth-authentication-example/

Unfortunately the error message reported does not provide enough information. For sure it could be that the temp code is expired but it could also be related to sth else, Costantino should tell us what could it be. In the meantime perhaps I would suggest to try with a programming language instead of postman so that we make sure the temp code does not expire.

#14 Updated by Konstantinos Apostolopoulos almost 2 years ago

I notice in your example, if I'm not mistaken, that the step for the exchange of the authorization code for an access token is implemented on the server.
Is it possible to implement the whole authorization workflow on the front-end or should the aforementioned step be implemented in an application that runs inside the VRE?

#15 Updated by Massimiliano Assante almost 2 years ago

Konstantinos Apostolopoulos wrote:

I notice in your example, if I'm not mistaken, that the step for the exchange of the authorization code for an access token is implemented on the server.
Is it possible to implement the whole authorization workflow on the front-end or should the aforementioned step be implemented in an application that runs inside the VRE?

You are right, it is implemented on the server. I would discourage to do this implementing the whole authorization workflow on the front-end (if by this you mean managing this via a browser only). I'm pretty sure this is not even possible; for example during the Step 3, when you Exchange Authorization Code for an Access Token after the POST the oauth2 service would respond redirecting your user to the Authorized Redirect URL, this is managed from your web server (dl016.madgik.di.uoa.gr:8443) that after processing it sends the "client part" to the client.

The Step 3 has to be implemented server side but it doesn't have to run inside the VRE. Even here i'm not really sure what you meant.

Hope this helps

#16 Updated by Costantino Perciante almost 2 years ago

Konstantinos Apostolopoulos wrote:

When I make a request with the parameters you suggested above (with my values for code, redirect_uri, client_id and client_secret)
on Postman I get a HTTP 400 error code with response
{
"error": "invalid_grant",
"error_description": null
}

I should note that the code should be valid, as I made the request in less that 10 seconds after I received the code from the previous step.

Do you have any idea what could be the problem?
I attach a screenshot of the request in Postman.

oauth.png

The error you got is reported for one of the following reasons:

  • the code you provide is either missing (i.e. is not recognized) or is expired at server side;
  • the redirect uri you provide or the client id is wrong

#17 Updated by Konstantinos Apostolopoulos over 1 year ago

Thank you both very much for your help. We got it working by implementing Step 3 server side as Massimiliano suggested.

We just have a final request.
We are in the process of releasing and deploying the application in the preproduction machine and we have made some changes to the location in Tomcat that it is being deployed.

Is it possible to change the Authorized Redirect URL to https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections ?
And if it is required, the Logo URL to https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/assets/images/logo.png

Thanks again for all your help.

#18 Updated by Massimiliano Assante over 1 year ago

  • Authorized Redirect URLs changed from https://dl016.madgik.di.uoa.gr:8443/rdc/#/dataCollections to https://dl016.madgik.di.uoa.gr:8443/rdc/#/dataCollections https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections

We support multiple authorised redirect URLs so both URLs are now authorised.

#19 Updated by Konstantinos Apostolopoulos over 1 year ago

Nice to know, because in the next days we will also have to register the URL for the production machine.

But now there is a problem.
Trying to authenticate with https://bluebridge.d4science.org/group/bluebridge-gateway/authorization?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=12345
after the VRE selection we get the following error:

There were issues in managing this request: Invalid redirect URL. This value must match a URL registered with the clientId:

This happens for both redirect URLs.

#20 Updated by Massimiliano Assante over 1 year ago

Konstantinos Apostolopoulos wrote:

Nice to know, because in the next days we will also have to register the URL for the production machine.

But now there is a problem.
Trying to authenticate with https://bluebridge.d4science.org/group/bluebridge-gateway/authorization?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=12345
after the VRE selection we get the following error:

There were issues in managing this request: Invalid redirect URL. This value must match a URL registered with the clientId:

This happens for both redirect URLs.

I'm checking

#21 Updated by Massimiliano Assante over 1 year ago

@apostkonst@gmail.com I can't find any issue in the service, everything seems ok. Can you paste the redirect_uri printed in the address below?
~~~
Trying to authenticate with https://bluebridge.d4science.org/group/bluebridge-gateway/authorization?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=12345
~~~

One potential issue I found is that the redirect_uri must be exactly the same as registered (the case matters). Should this be te case can fix this in the next release.

#23 Updated by Massimiliano Assante over 1 year ago

  • Authorized Redirect URLs changed from https://dl016.madgik.di.uoa.gr:8443/rdc/#/dataCollections https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections to https://dl016.madgik.di.uoa.gr:8443/rdc/#/dataCollections https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections

My fault , I apologies :(

there was a blank at the beginning in the authorised URL for https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections this is why very probably isn't working, please try now. For the previous URL instead nothing has changed and it should be working can you confirm?

#24 Updated by Konstantinos Apostolopoulos over 1 year ago

They both work now.
Thanks a lot!

#25 Updated by Dimitris Katris over 1 year ago

Dear @massimiliano.assante@isti.cnr.it,

Is there any way to test the OAuth login in the pre-production environment? https://wiki.gcube-system.org/gcube/OAuth2.0 contains endpoints only for the production and development infrastructures. The pre-production environment is not mentioned anywhere.

#27 Updated by Konstantinos Apostolopoulos over 1 year ago

Do we have to get a different client id for the preproduction OAuth service?

#28 Updated by Massimiliano Assante over 1 year ago

Yes, I forgot - it is completely different. Both client-id and client secrets have to be recreated if you wish to test this in preproduction. Let me know what you want to do.

#29 Updated by Konstantinos Apostolopoulos over 1 year ago

Hello Massimiliano,
we would like to also register our app for the preproduction using the Redirect URL https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections .
Should we open a new ticket?

#30 Updated by Massimiliano Assante over 1 year ago

Konstantinos Apostolopoulos wrote:

Hello Massimiliano,
we would like to also register our app for the preproduction using the Redirect URL https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections .
Should we open a new ticket?

Hello Konstantinos, I've updated the same txt file I shred with you previously with the client-id and secrets to be used in preprod. Please find the client id and client secret in the workspace at this URL (Only you and Panagiota can access it): https://goo.gl/TfjRQ8

#31 Updated by Konstantinos Apostolopoulos over 1 year ago

Thank you Massimiliano.

Could we also have the preproduction endpoints for:
* the gcube-oauth service to exchange the authorization code for an access token
* the social networking web service to retrieve information about the user

Thanks again.

#32 Updated by Massimiliano Assante over 1 year ago

Konstantinos Apostolopoulos wrote:

Thank you Massimiliano.

Could we also have the preproduction endpoints for:
* the gcube-oauth service to exchange the authorization code for an access token

http://socialnetworking-t.pre.d4science.org/gcube-oauth/v2/access-token

  • the social networking web service to retrieve information about the user

http://socialnetworking-t.pre.d4science.org/social-networking-library-ws/

Thanks again.

#33 Updated by Konstantinos Apostolopoulos over 1 year ago

Testing the authentication in the preproduction it seems like the application is not registered. We get the following error:

The client_id does not exist or something occurred in retrieving it from the Information System

Sorry for the trouble but we would also like to include an additional Authorized Redirect URL in the preproduction:
https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections

#34 Updated by Massimiliano Assante over 1 year ago

Konstantinos Apostolopoulos wrote:

Testing the authentication in the preproduction it seems like the application is not registered. We get the following error:

The client_id does not exist or something occurred in retrieving it from the Information System

Your using the client id that starts with ab9d32c9- ?

Sorry for the trouble but we would also like to include an additional Authorized Redirect URL in the preproduction:
https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections

#36 Updated by Massimiliano Assante over 1 year ago

@costantino.perciante@isti.cnr.it can you look at this issue?

#37 Updated by Costantino Perciante over 1 year ago

There is an issue while discovering a resource. I'm going to fix it

#38 Updated by Costantino Perciante over 1 year ago

  • Assignee changed from Massimiliano Assante to Konstantinos Apostolopoulos

Please could you verify it works in preprod now?

#39 Updated by Konstantinos Apostolopoulos over 1 year ago

Costantino Perciante wrote:

Please could you verify it works in preprod now?

It still doesn't work. I get the same error message, that the client_id does not exist or something occurred in retrieving it from the Information System.

#40 Updated by Costantino Perciante over 1 year ago

Konstantinos Apostolopoulos wrote:

Costantino Perciante wrote:

Please could you verify it works in preprod now?

It still doesn't work. I get the same error message, that the client_id does not exist or something occurred in retrieving it from the Information System.

Now it should

#41 Updated by Konstantinos Apostolopoulos over 1 year ago

Costantino Perciante wrote:

Now it should

Yes it does! Thank you very much

We would also like to add https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/datacollections as an Authorized Redirect URL, to the preproduction registration.

#42 Updated by Massimiliano Assante over 1 year ago

Konstantinos Apostolopoulos wrote:

Costantino Perciante wrote:

Now it should

Yes it does! Thank you very much

We would also like to add https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/datacollections as an Authorized Redirect URL, to the preproduction registration.

https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/datacollections added as further preprod authorised redirect URL

#43 Updated by Konstantinos Apostolopoulos over 1 year ago

I'm really sorry, I made a mistake in the URL. Could we modify it?

It should be https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections
with a capital "C" in dataCollections, instead of datacollections

If you have not already edited it, nevermind.
/datacollections also works.

Thank you for all your help.

#44 Updated by Konstantinos Apostolopoulos over 1 year ago

Hello Massimiliano,

we would like to register an additional redirect URL for the production environment.
The URL is:
https://dl004.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections

Thank you in advance.

#45 Updated by Konstantinos Apostolopoulos over 1 year ago

Hello Massimiliano,
are there any news about the additional Redirect URL?

Thanks a lot.

Also available in: Atom PDF