Package oracle.stellent.ridc.protocol.http.auth

Class OAuth2IDCSAuthHandler

java.lang.Object
oracle.stellent.ridc.protocol.http.auth.OAuth2IDCSAuthHandler
All Implemented Interfaces:
AuthenticationHandler
public class OAuth2IDCSAuthHandler extends Object implements AuthenticationHandler

  • Field Details

  • Constructor Details

    • OAuth2IDCSAuthHandler

      public OAuth2IDCSAuthHandler(IdcHttpProtocol httpProtocol)
      Constructor
      Parameters:
      httpProtocol -

  • Method Details

    • isJsonSupportClassesPresent

      public static boolean isJsonSupportClassesPresent()

    • getHttpProtocol

      public IdcHttpProtocol getHttpProtocol()

    • setLogId

      protected void setLogId(String logId)

    • setServiceLog

      protected void setServiceLog(ServiceLog log)

    • getServiceLog

      protected ServiceLog getServiceLog()

    • getLogId

      protected String getLogId()

    • isAuthSupported

      public boolean isAuthSupported(RIDCHttpClient httpClient, RIDCHttpMethod pingMethod) throws ProtocolException
      Determine if DoCS (External Compute w/ Identity Cloud Service) OAuth authentication is in the mix.
      Specified by:
      isAuthSupported in interface AuthenticationHandler
      Parameters:
      httpClient - httpclient instance created by AuthenticationDetector
      pingMethod - ping method invoked by AuthenticationDetector
      Returns:
      true if the handler can support the requests to the given server
      Throws:
      ProtocolException

    • getAuthScheme

      public IdcContext.HttpAuthScheme getAuthScheme()
      Specified by:
      getAuthScheme in interface AuthenticationHandler
      Returns:
      the authentication scheme associated with this handler

    • sendAuthenticatedRequest

      public int sendAuthenticatedRequest() throws ProtocolException
      Description copied from interface: AuthenticationHandler
      Send the authenticated request to the Content Server
      Specified by:
      sendAuthenticatedRequest in interface AuthenticationHandler
      Returns:
      the http status
      Throws:
      ProtocolException

    • handleLogin

      protected void handleLogin() throws ProtocolException
      With redirects enabled, HTTP GET the GET_OAUTH_TOKEN service fronted by the LBaaS and intercepted by cloudgate (https://host/documents/web?IdcService=GET_OAUTH_TOKEN&functionName=getTokenHere&scope=DOCS&IsJson=0) ... we will be redirected to the Identity Cloud Service REST API Endpoint for OAuth: https://idcs-XXXXX.identity.yyyyy.zzz/oauth2/v1/authorize?response_mode=form_post &response_type=id_token&scope=openid&IDCS_CG_ENC=true&client_id=CCCCC &state=SSSSS&nonce=NNNNN&IDCS_IS_CLOUDGATE=true&IDCS_CLIENT_TENANT=idcs-cloudservices-uscom-central-1 &X-HOST-IDENTIFIER-NAME=HHHHH&idcs_app_name=AAAAA&policyAppName=PPPPP&policyAppTenant=idcs-TTTTT &idcs_app_resource_url=UUUUU&enc=EEEEE ... with older circa 2019 oauth, we would be redirected again directly to the IDCS Oracle Cloud Account Sign-in Page: https://idcs-XXXXX.identity.yyyyy.zzz/ui/v1/signin ... with mid-2020 oauth, there is no 302 automatic redirect to the signin page, and instead a text/html response body is returned containing a body with form that would ordinarily on load form POST to https://idcs-XXXXX.identity.yyyyy.zzz/ui/v1/signin posting two hidden input fields the first of which has name/key="signature" and value base64 encoded data, and the second field having name/key="loginCtx" and value with further encoded data. Thus with mid-2020 oauth in play, we must HTTP POST the above /ui/v1/signin page supplying the relevant post data from the form hidden input fields. Ultimately whether automatic redirect (cira 2019) or form POST (circa 2020), we are presented with a HTML login page containing an important accessToken javascript parameter. var GlobalConfig = { accessToken: 'eeeeeeeeeeeeee', ... We must then HTTP POST the IDCS https://idcs-XXXX.identity.yyyyy.zzz/sso/v1/user/secure/login page with Authorization bearer heading containing the accessToken from above, along with post data containing credential username and password ... if authentication is successful, we will get back a 200 status code and receive a JSON response body containing the (cloudgate oauth2 callback) redirectUrl and postParams that need to be subsequently utilized in the immediately following HTTP POST request We must then HTTP POST this cloudgate oauth2 callback location (e.g. POST https://host/cloudgate/v1/oauth2/callback) using extracted data from JSON response postParams object above ... a 302 response header should result (POST requests are not automatically redirected/followed) with location value referring to the original GET_OAUTH_TOKEN URL above. Accessing this location should result in a 200 status code with response body of content type text/html containing the bearer token to use for subsequent requests ... e.g. <script>getTokenHere("TTTTT", <token expiration e.g. 604800>, "<dUser value>", "<dUserFullName value>", "RRRRR")</script> where TTTTT is the tokenValue, and RRRRR is the refreshTokenValue Were we to have sent the original request with IsJson=1, then the content type returned is application/json and the response body contains LocalData JSON encoded like the following { "LocalData": { "IdcService": "GET_OAUTH_TOKEN", "StatusCode": "0", "StatusMessage": "You are logged in as 'XXX'.", "StatusMessageKey": "!csUserLoggedIn,XXX", "dUser": "XXX", "dUserFullName": "YYY", "expiration": "604800", "functionName": "getTokenHere", "idcToken": "...", "localizedForResponse": "1", "refreshTokenValue": "RRRRR", "tokenValue": "TTTTT" }, ... Extracting the token value from above, we must supply this in future DoCS requests as part of an Authorization: Bearer TTTTT request header until it expires (604800 = 7 days)
      Throws:
      ProtocolException

    • getHttpClient

      public RIDCHttpClient getHttpClient() throws ProtocolException
      Throws:
      ProtocolException

    • createHttpClient

      protected RIDCHttpClient createHttpClient() throws ProtocolException
      Throws:
      ProtocolException

    • setHttpClient

      public void setHttpClient(RIDCHttpClient httpClient)

    • throwFailedAuthenticationException

      protected void throwFailedAuthenticationException(RIDCHttpMethod method) throws ProtocolException, URISyntaxException
      Throws:
      ProtocolException
      URISyntaxException

    • throwFailedAuthenticationException

      protected void throwFailedAuthenticationException(RIDCHttpMethod method, String body) throws ProtocolException, URISyntaxException
      Throws:
      ProtocolException
      URISyntaxException

    • maskToken

      public static String maskToken(String token)