D4Science Infrastructure

Hello Massimiliano,
yes this is what we need.

We were just wondering if there were an alternative authentication service to avoid any possible problems caused by the necessary redirects that come with the OAuth2 protocol.
Our application is an Angular one running inside Office Excel as an add-in.

We will proceed with the OAuth2 protocol and the redirecting, but it would be more convenient if there were some other endpoint that would not demand redirects.

Hi Konstantinos,
the logo you provided is of the BlueBRIDGE Project, you should provide us with the specific one for the Regional Data Collection Application. For the time being we are going to use the one provided. I'm going to share with you the required credentials you should use for oAuth2

Dear Massimiliano,
we would like some additional information regarding the authentication workflow.

Based on the instructions presented in https://wiki.gcube-system.org/gcube/OAuth2.0 ,
the first step should be to retrieve the authorization endpoint location.

Should we call the registry service REST-API?
What kind of credentials are required this service?

Would it be safe to call the OAuth endpoint provided in the example in OAth wiki? (https://next.d4science.org/group/next/authorization)

Thank you in advance for your help,
Konstantinos

Excellent question, i think the first step should be more clear as you're not the first asking this. It is quite safe for you to use the BlueBRIDGE production (the one in the doc is for dev) endpoint that would be:

https://bluebridge.d4science.org/group/bluebridge-gateway/authorization

So now you can go directly to perform an HTTP GET with the parameters indicated in "Invoking the authorization service": https://wiki.gcube-system.org/gcube/OAuth2.0#Invoking_the_authorization_service

And on the next step, using the code retrieved from the first request, we have to make an HTTP POST request on https://socialnetworking1.d4science.org/social-networking-library-ws/rest .
Is that correct?

Doing that we have come across some problems. We either get a CORS error or an authentication error.

Could we also have some more information on this request?
Does it need a "gcube-token" header for authentication?
"Content-Type" header should only be of type application/x-www-form-urlencoded, or is application/json also allowed?

Thanks,
Konstantinos

Hello Konstantinos,
the next step would be:

Step 3 - Exchange Authorization Code for an Access Token

You need to make a POST to the gcube-oauth service, in the production environment its current value is https://socialnetworking1.d4science.org/gcube-oauth/v2/access-token

In the header part you would put:

httpPostRequest.addHeader("Content-Type", "application/x-www-form-urlencoded");
httpPostRequest.addHeader("gcube-token", client_secret);

in the entity part you would put:

List<NameValuePair> params = new ArrayList<NameValuePair>();
                params.add(new BasicNameValuePair("grant_type", "authorization_code"));
                params.add(new BasicNameValuePair("code", $YOUR_TEMP_CODE)); <--YOUR_TEMP_CODE is the authorization code you received from the previous step
                params.add(new BasicNameValuePair("redirect_uri", "https://www.gcube-system.org/oauth-authentication-example/example-app"));  <-- The authorised redirect URI in your case 
                params.add(new BasicNameValuePair("client_id", $YOUR_CLIEND_ID));
                params.add(new BasicNameValuePair("client_secret", $YOUR_CLIEND_SECRET));
                httpPostRequest.setEntity(new UrlEncodedFormEntity(params));

Hope it is more clear, please do not hesitate to contact me for further information

I've also added in the documentation a cose snippet that could be useful to you and more explaining perhaps.

See HTTP POST Example in JAVA in Step 3

I added @costantino.perciante@isti.cnr.it who developed the service to see what is that error about. What I also did is to create a sample application that does all the "round" with the credentials I provided to you for your service and it seems working fine:

see https://www.gcube-system.org/oauth-authentication-example/

Unfortunately the error message reported does not provide enough information. For sure it could be that the temp code is expired but it could also be related to sth else, Costantino should tell us what could it be. In the meantime perhaps I would suggest to try with a programming language instead of postman so that we make sure the temp code does not expire.

I notice in your example, if I'm not mistaken, that the step for the exchange of the authorization code for an access token is implemented on the server.
Is it possible to implement the whole authorization workflow on the front-end or should the aforementioned step be implemented in an application that runs inside the VRE?

Konstantinos Apostolopoulos wrote:

I notice in your example, if I'm not mistaken, that the step for the exchange of the authorization code for an access token is implemented on the server.
Is it possible to implement the whole authorization workflow on the front-end or should the aforementioned step be implemented in an application that runs inside the VRE?

You are right, it is implemented on the server. I would discourage to do this implementing the whole authorization workflow on the front-end (if by this you mean managing this via a browser only). I'm pretty sure this is not even possible; for example during the Step 3, when you Exchange Authorization Code for an Access Token after the POST the oauth2 service would respond redirecting your user to the Authorized Redirect URL, this is managed from your web server (dl016.madgik.di.uoa.gr:8443) that after processing it sends the "client part" to the client.

The Step 3 has to be implemented server side but it doesn't have to run inside the VRE. Even here i'm not really sure what you meant.

Hope this helps

Konstantinos Apostolopoulos wrote:

When I make a request with the parameters you suggested above (with my values for code, redirect_uri, client_id and client_secret)
on Postman I get a HTTP 400 error code with response
{
"error": "invalid_grant",
"error_description": null
}

I should note that the code should be valid, as I made the request in less that 10 seconds after I received the code from the previous step.

Do you have any idea what could be the problem?
I attach a screenshot of the request in Postman.

The error you got is reported for one of the following reasons:

• the code you provide is either missing (i.e. is not recognized) or is expired at server side;
• the redirect uri you provide or the client id is wrong

Thank you both very much for your help. We got it working by implementing Step 3 server side as Massimiliano suggested.

We just have a final request.
We are in the process of releasing and deploying the application in the preproduction machine and we have made some changes to the location in Tomcat that it is being deployed.

Is it possible to change the Authorized Redirect URL to https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections ?
And if it is required, the Logo URL to https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/assets/images/logo.png

Thanks again for all your help.

Nice to know, because in the next days we will also have to register the URL for the production machine.

But now there is a problem.
Trying to authenticate with https://bluebridge.d4science.org/group/bluebridge-gateway/authorization?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=12345
after the VRE selection we get the following error:

There were issues in managing this request: Invalid redirect URL. This value must match a URL registered with the clientId:

This happens for both redirect URLs.

Konstantinos Apostolopoulos wrote:

Nice to know, because in the next days we will also have to register the URL for the production machine.

But now there is a problem.
Trying to authenticate with https://bluebridge.d4science.org/group/bluebridge-gateway/authorization?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=12345
after the VRE selection we get the following error:

There were issues in managing this request: Invalid redirect URL. This value must match a URL registered with the clientId:

This happens for both redirect URLs.

I'm checking

@apostkonst@gmail.com I can't find any issue in the service, everything seems ok. Can you paste the redirect_uri printed in the address below?

Trying to authenticate with https://bluebridge.d4science.org/group/bluebridge-gateway/authorization?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=12345

One potential issue I found is that the redirect_uri must be exactly the same as registered (the case matters). Should this be te case can fix this in the next release.

Either URL enocded

https://bluebridge.d4science.org/group/bluebridge-gateway/authorization?client_id=CLIENT_ID&redirect_uri=https%3A%2F%2Fdl016.madgik.di.uoa.gr%3A8443%2Fregional-data-collection-addin%2Fstatic%2F%23%2FdataCollections&state=12345

or not

https://bluebridge.d4science.org/group/bluebridge-gateway/authorization?client_id=CLIENT_ID&redirect_uri=https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections&state=12345

I get the error.

They both work now.
Thanks a lot!

Dear @massimiliano.assante@isti.cnr.it,

Is there any way to test the OAuth login in the pre-production environment? https://wiki.gcube-system.org/gcube/OAuth2.0 contains endpoints only for the production and development infrastructures. The pre-production environment is not mentioned anywhere.

Yes Dimitris, https://pre.d4science.org/group/pre/authorization

Do we have to get a different client id for the preproduction OAuth service?

Yes, I forgot - it is completely different. Both client-id and client secrets have to be recreated if you wish to test this in preproduction. Let me know what you want to do.

Hello Massimiliano,
we would like to also register our app for the preproduction using the Redirect URL https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections .
Should we open a new ticket?

Konstantinos Apostolopoulos wrote:

Hello Massimiliano,
we would like to also register our app for the preproduction using the Redirect URL https://dl016.madgik.di.uoa.gr:8443/regional-data-collection-addin/static/#/dataCollections .
Should we open a new ticket?

Hello Konstantinos, I've updated the same txt file I shred with you previously with the client-id and secrets to be used in preprod. Please find the client id and client secret in the workspace at this URL (Only you and Panagiota can access it): https://goo.gl/TfjRQ8

Thank you Massimiliano.

Could we also have the preproduction endpoints for:

• the gcube-oauth service to exchange the authorization code for an access token
• the social networking web service to retrieve information about the user

Thanks again.

Konstantinos Apostolopoulos wrote:

Thank you Massimiliano.

Could we also have the preproduction endpoints for:

• the gcube-oauth service to exchange the authorization code for an access token

http://socialnetworking-t.pre.d4science.org/gcube-oauth/v2/access-token

• the social networking web service to retrieve information about the user

http://socialnetworking-t.pre.d4science.org/social-networking-library-ws/

Thanks again.

Testing the authentication in the preproduction it seems like the application is not registered. We get the following error:

The client_id does not exist or something occurred in retrieving it from the Information System

Sorry for the trouble but we would also like to include an additional Authorized Redirect URL in the preproduction:
https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections

Konstantinos Apostolopoulos wrote:

Testing the authentication in the preproduction it seems like the application is not registered. We get the following error:

The client_id does not exist or something occurred in retrieving it from the Information System

Your using the client id that starts with ab9d32c9- ?

Sorry for the trouble but we would also like to include an additional Authorized Redirect URL in the preproduction:
https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections

Your using the client id that starts with ab9d32c9- ?

Yes
https://pre.d4science.org/group/pre/authorization?client_id=ab9d32c9-...&redirect_uri=https%3A%2F%2Fdl016.madgik.di.uoa.gr%3A8443%2Fregional-data-collection-addin%2Fstatic%2F%23%2FdataCollections&state=12345

@costantino.perciante@isti.cnr.it can you look at this issue?

There is an issue while discovering a resource. I'm going to fix it

Costantino Perciante wrote:

Please could you verify it works in preprod now?

It still doesn't work. I get the same error message, that the client_id does not exist or something occurred in retrieving it from the Information System.

Costantino Perciante wrote:

Now it should

Yes it does! Thank you very much

We would also like to add https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/datacollections as an Authorized Redirect URL, to the preproduction registration.

Konstantinos Apostolopoulos wrote:

Costantino Perciante wrote:

Now it should

Yes it does! Thank you very much

We would also like to add https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/datacollections as an Authorized Redirect URL, to the preproduction registration.

https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/datacollections added as further preprod authorised redirect URL

I'm really sorry, I made a mistake in the URL. Could we modify it?

It should be https://dl016.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections
with a capital "C" in dataCollections, instead of datacollections

If you have not already edited it, nevermind.
/datacollections also works.

Thank you for all your help.

Hello Massimiliano,

we would like to register an additional redirect URL for the production environment.
The URL is:
https://dl004.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections

Thank you in advance.

Hello Massimiliano,
are there any news about the additional Redirect URL?

Thanks a lot.

https://dl004.madgik.di.uoa.gr/regional-data-collection-addin/static/#/dataCollections added and as logo: https://dl004.madgik.di.uoa.gr/regional-data-collection-addin/static/assets/images/logo.png