Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 40

Thread: oAuth2 and Web Application

  1. #11
    Join Date
    Mar 2009
    Location
    Beech Hill - a village near Reading in the UK
    Posts
    2,812

    Default Re: oAuth2 and Web Application

    OK, here is what I'd do...

    With your app open in the browser (in debug-run from the DF Studio), but before you attempt to log in to the service, right-click somewhere on the browser page and from the pop-up menu select "Inspect" (in Chrome) or "Inspect Element (Q)" (in Firefox), then in the window that opens up go to the "Sources" tab (in Chrome) or the "Debugger" tab (in Firefox). In the left-hand pane of that, navigate to the oOAuth2.js file.

    Set a breakpoint (click the line number) just after the "url = " line:
    Code:
            var pollTimer = window.setInterval(function() {
                
                try {
                
                    if (win.document.URL.indexOf(obj.wpsRedirectUrl) != -1) {
                        window.clearInterval(pollTimer);
                        url         = win.document.URL;  
                        win.close();  // <-- set the breakpoint here
    (About line 81 or 82 in my version.)

    Then go through your login procedure (click the button or whatever) and perform the login - you should then hit the breakpoint in the browser's debugger.

    Look at what is in that url variable (hovering over it will generally show you, but find it in the Scopes pane of the browser's debugger which might make it easier you to copy it's content). Then paste that into a text editor for examination:

    It will be something like this example from Google:
    Code:
    "http://localhost/GoogleAPI181/MSCallback.html?code=AQABAAIAAAAm-06blBE1TpVMil8KPQ411ocdZfH2nYgskb3A3XX52FN_LvA9tti9oLBSAEvuOD2KcjnWt4G1hoHXIqem8lVikMUnPlTKZKmqCHF_HwijWnkgBvDPyyNAa2ZcYYhkI9ohtYB6wn2kebwtEJ6sOGd1N8nrBzpz5MVEWHimwbWctQEJnOr56ckMfh_X8OSqjgclyUeeCyM5UbOOG2dSlcNKg335mCFF37QenNfG_gWd_HA-dWndwL0hr7R1TOznRlDrtmM6xtRC4x2gWGFrPL4_p0vKasW05vyriXwYW_kAoTAXUQYk7G8dqXpsmv1REz-8bSkxGiYVKln9vFTZR-OTfUSX69od9jJym7zxaQ3UkSanzcMatSo7ovGZTQ2-YUHu9qFMIAJTpKqEPIrR1zVpnj-Mqn97vFjstf4_kvnQyDmnJCppEFZBqUbIV4FA7ydg-EyOnKFHGfiawmmESj7VX6GYPWnPV1-G1uTVF3Rtv4PXtA5SYl_zRX5H-55j238wEO_wJ6Sz9M_rUUqtNcx1fLrVnQG_emPwyWhBykadcADZd4qPgwavPDn6HMJO8phkUFDP3wWd12IO2K-DpCDUIAA&state=1w42JUXSFcPhrzdJaV9Dvqhvv1lYt6c54p5y&session_state=b3b9afcf-d9ef-4a5f-9891-d25db5003526"
    Then break that down in the text editor so you can see all the parts clearly (I have annotated this one a bit):
    Code:
    http:                                    <--Protocol
    //localhost                              <--Host
    /GoogleAPI181/MSCallback.html            <--Path
    ?code=AQABAAIAAAAm-06blBE1TpVMil8KPQ411ocdZfH2nYgskb3A3XX52FN_LvA9tti9oLBSAEvuOD2KcjnWt4G1hoHXIqem8lVikMUnPlTKZKmqCHF_HwijWnkgBvDPyyNAa2ZcYYhkI9ohtYB6wn2kebwtEJ6sOGd1N8nrBzpz5MVEWHimwbWctQEJnOr56ckMfh_X8OSqjgclyUeeCyM5UbOOG2dSlcNKg335mCFF37QenNfG_gWd_HA-dWndwL0hr7R1TOznRlDrtmM6xtRC4x2gWGFrPL4_p0vKasW05vyriXwYW_kAoTAXUQYk7G8dqXpsmv1REz-8bSkxGiYVKln9vFTZR-OTfUSX69od9jJym7zxaQ3UkSanzcMatSo7ovGZTQ2-YUHu9qFMIAJTpKqEPIrR1zVpnj-Mqn97vFjstf4_kvnQyDmnJCppEFZBqUbIV4FA7ydg-EyOnKFHGfiawmmESj7VX6GYPWnPV1-G1uTVF3Rtv4PXtA5SYl_zRX5H-55j238wEO_wJ6Sz9M_rUUqtNcx1fLrVnQG_emPwyWhBykadcADZd4qPgwavPDn6HMJO8phkUFDP3wWd12IO2K-DpCDUIAA     <--Code
    &state=1w42JUXSFcPhrzdJaV9Dvqhvv1lYt6c54p5y                  <--State
    &session_state=b3b9afcf-d9ef-4a5f-9891-d25db5003526          <--Session State
    So the long one in there is (or should be) the code.

    Back in the browser's debugger, step on through until you have stepped over the line:
    Code:
                        code        = obj.queryValue(url, obj.wpsAuthCdName);
    This is what should get passed back into the DataFlex in the web property wpsAuthCode - check that it is (in the DataFlex debugger).

    If you get that far, get back to me here.

    Mike

  2. #12
    Join Date
    Feb 2018
    Posts
    23

    Default Re: oAuth2 and Web Application

    It seems correct in the debugger.


    Click image for larger version. 

Name:	chrome_debugger.jpg 
Views:	67 
Size:	55.3 KB 
ID:	13725

  3. #13
    Join Date
    Mar 2009
    Location
    Beech Hill - a village near Reading in the UK
    Posts
    2,812

    Default Re: oAuth2 and Web Application

    OK, so the callback page is getting called and the code looks right (well, I have no idea what it should look like, but I'll take your word ).

    Is that code turning up in the DataFlex side of the oOAuth2?

    You might follow the procedure I set out above a bit further in the JavaScript and see if it steps through into the final part of the login function:
    Code:
                            else {
                                obj.set("wpsAuthCode", code, false);
                                obj.set("wpiExpiresIn", expires, false);
                                obj.set("wpbLoggedIn", true, false);
                                obj.set("wpsErrorCode", "", false);
                                obj.set("wpsErrorDesc", "", false);
                                obj.serverAction("LoginDone");
                            }
    And actually executes the obj.serverAction("LoginDone"); bit, or debugging in the DataFlex to see if it gets into the LoginDone procedure in the cOAuth2 class.

    If it gets that far, then the problem will most likely be with the exchange of the authorization code for the actual access token that you use to make your calls to the service.

    Mike

  4. #14
    Join Date
    Feb 2018
    Posts
    23

    Default Re: oAuth2 and Web Application

    Well, it does not execute "LoginDone".

    I get this: "Returned state does not match passed state: possible attempted Cross Site Request Forgery attack", so I am thinking that there might be something wrong in the AddParam's in OnBeforeLogin.

    Here is what it should look like:
    Code:
    https://identity-sandbox.test.vismao...nect/authorize
    ?client_id={ClientID}
    &redirect_uri=https://domain.com/app/OAuth2/Callback.html
    &scope=ea:api%20offline_access%20ea:sales%20ea:purchase_readonly%20ea:accounting
    &state=018TEST7643
    &response_type=code
    &prompt=login
    &acr_values=service:01234AB1-1A23-1A2B-A123-123AB4567890+forceselectcompany:true
    This is how I set it up in DF code:
    Code:
    Procedure OnBeforeLogin
       Send ClearParams
       Send AddParam "scope" "ea:api%20offline_access%20ea:sales%20ea:purchase_readonly"
       Send AddParam "state" "018TEST7643"
       Send AddParam "prompt" "login"
       Send AddParam "acr_values" "service:01234AB1-1A23-1A2B-A123-123AB4567890+forceselectcompany:true"
    End_Procedure

  5. #15
    Join Date
    Mar 2009
    Location
    Beech Hill - a village near Reading in the UK
    Posts
    2,812

    Default Re: oAuth2 and Web Application

    OK, so there is your problem. The "state" parameter is designed to alert you to a possible CSRF attack: the returned value should match the passed value - basically the service should return the value you send to it (don't ask me how this protection actually works - I've never figured it out, but there we have it <g>).

    Try removing the Send AddParam "state" from your OnBeforeLogin procedure in the DF code.

    Rightly or wrongly (perhaps reflecting the fact that I clearly didn't really understand the issue <g>), the OAuth2 JavaScript component assigns the value of your DataFlex session cookie to the state parameter, but you are supplying an additional "state" parameter, which is confusing the service. The service is obviously returning the latter of these two, which does not match the one the component is expecting, which is what is going wrong. Just let the component do its thing (i.e. DO NOT supply that additional state parameter) and it should be OK I think.

    Mike

  6. #16
    Join Date
    Mar 2009
    Location
    Beech Hill - a village near Reading in the UK
    Posts
    2,812

    Default Re: oAuth2 and Web Application

    Addendum: you can read about the use of the "state" parameter here: https://auth0.com/docs/protocols/oauth2/oauth-state.

    Reading that I realise that the DF session cookie value probably isn't really the best choice - it should probably generate it's own random value and use that - but basically it works and since the cookie value is itself generated (reasonably) randomly this is (I believe) an "if it ain't broken, don't fix it" type of situation.

    Others more knowledgeable about such stuff may disagree. (In which case let me know and I will look at fixing it.)

    Mike

  7. #17
    Join Date
    Feb 2018
    Posts
    23

    Default Re: oAuth2 and Web Application

    Works perfectly now, thanks!

  8. #18
    Join Date
    Mar 2009
    Location
    Beech Hill - a village near Reading in the UK
    Posts
    2,812

    Default Re: oAuth2 and Web Application

    Hth

  9. #19
    Join Date
    Feb 2009
    Location
    Beekdaelen-Nuth, Netherlands
    Posts
    1,221

    Default Re: oAuth2 and Web Application

    Good morning Sehs,

    I've been looking at this thread and it gives some good insights how to connect to Visma, a well know software supplier in the nothern part of Europe (scandinavia and netherlands)

    Is it possible for you to put your findings on oAuth2 and Visma in a blog?

    For future generations of Dataflex developers.

    tia
    Roel

  10. #20
    Join Date
    Mar 2009
    Location
    Beech Hill - a village near Reading in the UK
    Posts
    2,812

    Default Re: oAuth2 and Web Application

    "future generations of Dataflex developers"... have you got a breeding program going Roel?

Page 2 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •