<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/OAuth+Authentication+With+REST+Based+Services">OAuth Authentication With REST Based Services</a></h2>
<h4>Page <b>added</b> by <a href="https://docs.jboss.org/author/display/~rareddy">Ramesh Reddy</a>
</h4>
<br/>
<div class="notificationGreySide">
<h3><a name="OAuthAuthenticationWithRESTBasedServices-SingleuserOAuthauthentication"></a>Single user OAuth authentication</h3>
<p>Web Services resource-adapter can be configured to participate in <a href="http://oauth.org" class="external-link" rel="nofollow">OAuth 1.0a and OAuth2</a> authentication schemes. Using Teiid along with "ws" translator and "web-services" resource adapter once write applications communicating with web sites like <a href="http://google.com" class="external-link" rel="nofollow">Google</a> and <a href="http://twitter.com" class="external-link" rel="nofollow">Twitter</a>.</p>
<p>In order to support OAuth authentication, there is some preparation and configuration work involved. Individual web sites typically provide developer facing REST based APIs for accessing their content on the web sites and also provide ways to register custom applications on user's behalf, where they can manage the Authorization of services offered by the web site. The first step is to register this custom application on the web site and collect consumer/API keys and secrets. The web-sites will also list the URLS, where to request for various different types of tokens for authorization using these credentials. A typical OAuth authentication flow is defined as below</p>
<p><span class="error">Unable to render embedded object: File (deviceflow.png) not found.</span></p>
<p><em>The above image taken from <a href="https://developers.google.com/accounts/docs/OAuth2" class="external-link" rel="nofollow">https://developers.google.com/accounts/docs/OAuth2</a></em></p>
<p>To accommodate above defined flow, Teiid provides a utility called "teiid-oauth-util.sh" or "teiid-oauth-util.bat" for windows in the "bin" directory of your server installation. By executing this utility, it will ask for various keys/secrets and URLs for the generating the Access Token that is used in the OAuth authentication and in the end output a XML fragment like below.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>"sample utility run"</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
$./teiid-oauth-util.sh
Select type of OAuth authentication
1) OAuth 1.0A
2) OAuth 2.0
2
=== OAuth 2.0 Workflow ===
Enter the Client ID = 10-xxxjb.apps.googleusercontent.com
Enter the Client Secret = 3L6-xxx-v9xxDlznWq-o
Enter the User Authorization URL = https://accounts.google.com/o/oauth2/auth
Enter scope (hit enter for none) = profile
Cut & Paste the URL in a web browser, and Authticate
Authorize URL = https://accounts.google.com/o/oauth2/auth?client_id=10-xxxjb.apps.googleusercontent.com&scope=profile&response_type=code&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&state=Auth+URL
Enter Token Secret (Auth Code, Pin) from previous step = 4/z-RT632cr2hf_vYoXd06yIM-xxxxx
Enter the Access Token URL = https://www.googleapis.com/oauth2/v3/token
Refresh Token=1/xxxx_5qzAF52j-EmN2U
Add the following XML into your standalone-teiid.xml file in security-domains subsystem,
and configure data source securty to this domain
<security-domain name="oauth2-security">
<authentication>
<login-module code="org.teiid.jboss.oauth.OAuth20LoginModule" flag="required" module="org.jboss.teiid">
<module-option name="client-id" value="10-xxxjb.apps.googleusercontent.com"/>
<module-option name="client-secret" value="3L6-xxx-v9xxDlznWq-o"/>
<module-option name="refresh-token" value="1/xxxx_5qzAF52j-EmN2U"/>
<module-option name="access-token-uri" value="https://www.googleapis.com/oauth2/v3/token"/>
</login-module>
</authentication>
</security-domain>
</pre>
</div></div>
<p>The XML fragment at the end defines the JAAS Login Module configuration, edit the standalone-teiid.xml and add it under "security-domains" subsystem. User needs to use this security-domain in their resource adapter as the security provider for this data source. An example resource-adapter configuration to define the data source to the web site in standalone-teiid.xml file looks like</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<resource-adapter id="webservice3">
<module slot="main" id="org.jboss.teiid.resource-adapter.webservice"/>
<transaction-support>NoTransaction</transaction-support>
<connection-definitions>
<connection-definition class-name="org.teiid.resource.adapter.ws.WSManagedConnectionFactory" jndi-name="java:/googleDS" enabled="true" use-java-context="true" pool-name="teiid-ws-ds">
<config-property name="SecurityType">
OAuth
</config-property>
<security>
<security-domain>oauth2-security</security-domain>
</security>
</connection-definition>
</connection-definitions>
</resource-adapter>
</pre>
</div></div>
<p>Then, any query written using the "ws" translator and above resource-adapter will be automatically Authorized with the target web site using OAuth, when you access a protected URL.</p>
<h3><a name="OAuthAuthenticationWithRESTBasedServices-OAuthwithDelegation"></a>OAuth with Delegation</h3>
<p>In the above configuration a single user is configured to access the web site, however if you want to delegate logged in user's credential as OAuth authentication, then user needs to extend the above LoginModule <em>(org.teiid.jboss.oauth.OAuth20LoginModule or org.teiid.jboss.oauth.OAuth10LoginModule)</em> and automate the process defined in the "teiid-oauth-util.sh" to define the Access Token details dynamically. Since this process will be different for different web sites (it involves login and authentication), Teiid will not be able to provide single solution. However, user can extend the login module to provide this feature much more easily since they will be working with targeted web sites.</p>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/OAuth+Authentication+With+REST+Based+Services">View Online</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/OAuth+Authentication+With+REST+Based+Services?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>