OAuthCode for Application Server RESTFul APIs

I was able to get authorization code but when I try to authenticate /AppServer/ using this code it returns generic error:

Request

AppServer authentication URL: https://<hostname>/AppServer/auth/apphost

HTTP Method                               : POST

Body

{

    "AuthString": "Module=OAuthRoleBased;Code=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dC;AppUrl=https://<hostname>/AppServer/;ClientId=<client_id>;RedirectUri=urn:InstalledApplication"

}

Headers:  Authorization: Basic dmFtZXJzXG1ndX==

                 Accept:application/json

                 Content-Type:application/json

Response:

{

    "responseStatus": {

        "message": "An error occurred."

    },

    "errorString": "An error occurred.",

    "exceptions": [

        {

            "number": 2072000,

            "message": "An error occurred."

        }

    ]

}

However, AppServer logs points to invalid auth code 

Login failed (Module: OAuth 2.0 / OpenID Connect (role based), Properties: , Identity: -, Client Machine: 10.x.x.x, Errors: [QER.OAuthAuthentifier.OAuth2Exception] invalid_request. Invalid auth code)

Would appreciate any help on this?

I was able to get authorization code but when I try to authenticate /AppServer/ using this code it returns generic error:

Request

AppServer authentication URL: https://<hostname>/AppServer/auth/apphost

HTTP Method                               : POST

Body

{

    "AuthString": "Module=OAuthRoleBased;Code=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dC;AppUrl=https://<hostname>/AppServer/;ClientId=<client_id>;RedirectUri=urn:InstalledApplication"

}

Headers:  Authorization: Basic dmFtZXJzXG1ndX==

                 Accept:application/json

                 Content-Type:application/json

Response:

{

    "responseStatus": {

        "message": "An error occurred."

    },

    "errorString": "An error occurred.",

    "exceptions": [

        {

            "number": 2072000,

            "message": "An error occurred."

        }

    ]

}

However, AppServer logs points to invalid auth code 

Login failed (Module: OAuth 2.0 / OpenID Connect (role based), Properties: , Identity: -, Client Machine: 10.x.x.x, Errors: [QER.OAuthAuthentifier.OAuth2Exception] invalid_request. Invalid auth code)

Would appreciate any help on this?

Did you find a solution for this?

Thing is that you need to have a valid authentication code. I know that some colleagues create a sample PowerShell script to illustrate how it works.

Hint: Do not use it in production because of the SSL thingy.

Param(
    [Parameter(Mandatory=$true)]
    [string]$centralAccount
)

$hostname = "<Your OneIM server>"
$uri = "https://$hostname/AppServer"
$loginUrl = "https://$hostname/RSTS/UserLogin/LoginController?response_type=code&redirect_uri=urn%3aInstalledApplication&loginRequestStep="
$cookieUri = "https://$hostname/RSTS"

# If you have a different identity provider, change this, but this is typicaly Active Directory
# There's a URL to list all of this, but I cannot recall it.
$global:PrimaryProviderID = "ad"

$global:UserName = "<Your username>"
$global:Password = "<Your password>"
$global:CsrfToken = ""


# Ignore SSL
# From this kb: https://stackoverflow.com/questions/41897114/unexpected-error-occurred-running-a-simple-unauthorized-rest-query?rq=1
 # C# class to create callback
$code = @"
public class SSLHandler
{
    public static System.Net.Security.RemoteCertificateValidationCallback GetSSLHandler()
    {

        return new System.Net.Security.RemoteCertificateValidationCallback((sender, certificate, chain, policyErrors) => { return true; });
    }

}
"@

#compile the class
Add-Type -TypeDefinition $code

#disable checks using new class
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLHandler]::GetSSLHandler()
#do the request


# 1. InitialUserState
$step1 = $loginUrl + "InitialUserState"
Write-Host -ForegroundColor Yellow "InitialUserState: " $step1
$response = Invoke-RestMethod -Method Post -Uri $step1 -SessionVariable websession 
$cookies = $websession.Cookies.GetCookies($cookieUri) 

foreach ($cookie in $cookies) { 
    if ($($cookie.name) -eq "CsrfToken")
    {
        $global:CsrfToken = $cookie.Value
        break
    }

}
$CsrfTokenDecode = [System.Web.HttpUtility]::UrlDecode($global:CsrfToken) 

#2.  PrimaryLoginPost
$step2 = $loginUrl + "PrimaryLoginPost"

$Body = @{
    directoryComboBox= "$global:PrimaryProviderID"
    usernameTextbox = "$global:UserName"
    passwordTextbox = "$global:Password"
    csrfTokenTextbox = "$CsrfTokenDecode"
 }

Write-Host -ForegroundColor Yellow "PrimaryLoginPost: " $step2
$response = Invoke-RestMethod -Method Post -Uri $step2 -Body $Body -ContentType $ContentType -WebSession $websession

# 3. GenerateClaims and get the code=<>
$step3 = $loginUrl + "GenerateClaims"
Write-Host -ForegroundColor Yellow "GenerateClaims: " $step3
$response = Invoke-RestMethod -Method Post -Uri $step3 -Body $Body -ContentType $ContentType -WebSession $websession

# Probably need a better way of parsing for code=<>
$code = $response.RelyingPartyUrl.Substring(30)


# 4. Authentication to AppServer with code=<>
Write-Host -ForegroundColor Yellow "Authenticate: " $uri/auth/apphost
# Construct auth json
$authdata = @{AuthString="Module=OAuthRoleBased;code=$code"}
$authJson = ConvertTo-Json $authdata -Depth 2
$response = Invoke-RestMethod -Uri "$uri/auth/apphost" -Method Post -Body $authJson.ToString() -WebSession $websession

# 5. Get the UID_Person $centralAccount
$body = @{where="CentralAccount = '$centralAccount'"} | ConvertTo-Json
$response = Invoke-RestMethod -Uri "$uri/api/entities/Person?loadType=ForeignDisplays" -Method Post -Body $body -ContentType application/json -WebSession $websession
$uidPerson = $response[0].values | Select-Object -expand UID_Person

write-host  "=== ($centralAccount) UID_Person: " $uidPerson