OAuth token - 401 Unauthorized

thatJeffSmith-Oracle

here's another in-depth example showing exactly what to do

https://blogs.oracle.com/developers/microservices-the-easy-way-with-ords-and-micronaut-part-1

ords 19.4 is a year+ old, but nothing's changed here in this area - just saying

partlycloudy

OK I followed the steps in that in-depth example but I still get the same error.

partlycloudy

Here is the code I used. It ran with no errors. Then I queried user_ords_clients and used the curl command you suggested to get the Bearer token but still got the 401 error

What am I missing?

begin
  ORDS.create_role(
    p_role_name => 'role_0215'
  );

  ORDS.create_privilege(
      p_name        => 'priv_0215',
      p_role_name   => 'role_0215',
      p_label       => 'EMP Data',
      p_description => 'Allow access to the EMP data.');

  ORDS.create_privilege_mapping(
      p_privilege_name => 'priv_0215',
      p_pattern        => '/hr/*');     

OAUTH.create_client(
    p_name            => 'client_0215',
    p_grant_type      => 'client_credentials',
    p_owner           => 'My Company',
    p_description     => 'Test REST',
    p_support_email   => '[email protected]',
    p_privilege_names => 'priv_0215'
  );

OAUTH.grant_client_role(
    p_client_name => 'client_0215',
    p_role_name   => 'role_0215'
  );

commit;
end;

partlycloudy

I enabled debug on my ORDS config and here is what I get in Chrome/Postman. I am not sure I understand how oracle.dbtools.oauth.client.application and [Oauth2 client application] role is involved here. The URL I am POST-ing to in Postman is https://server.domain.com/ords/schema-name/oauth/token

Any ideas? @thatJeffSmith-Oracle

thatJeffSmith-Oracle

Can you include the entire trace stack?

Also, instead of using postman, can you just try with cURL - it's harder to make mistakes in cURL - by checking some option or something incorrectly...

partlycloudy

Here you go

curl -i -k 'https://[obfuscated]/apex/edb/oauth/token' --user client_id:client_secret --data 'grant_type=client_credentials' -w "%{http_code}" 

Debug Trace

 is not authorized to access: oracle.dbtools.oauth.client.application
 does not have any of the required roles: AnnotationPrivilegeConstraint [name=oracle.dbtools.oauth.client.application, roles=[OAuth2 Client Application], challenges=[]]
[TE] POST /apex/edb/oauth/token start: 2021-02-16T15:29:17.187Z duration: 32ms

		

Stack Trace

UnauthorizedException [statusCode=401, reasons=[]]
	at oracle.dbtools.http.auth.RequestAuthorizationProvider.authorize(RequestAuthorizationProvider.java:151)
	at oracle.dbtools.http.auth.AuthorizationDispatchHook.before(AuthorizationDispatchHook.java:40)
	at oracle.dbtools.http.dispatch.hooks.DispatchHookChain.before(DispatchHookChain.java:34)
	at oracle.dbtools.http.dispatch.hooks.DispatchHooks.before(DispatchHooks.java:49)
	at oracle.dbtools.http.entrypoint.Dispatcher.dispatch(Dispatcher.java:122)
	at oracle.dbtools.http.entrypoint.EntryPoint$FilteredServlet.service(EntryPoint.java:239)
	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:73)
	at oracle.dbtools.http.forwarding.QueryFilteringRewrite.doFilter(QueryFilteringRewrite.java:90)
	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
	at oracle.dbtools.http.forwarding.ForwardingFilter.doFilter(ForwardingFilter.java:68)
	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
	at oracle.dbtools.http.cors.CORSPreflightFilter.doFilter(CORSPreflightFilter.java:68)
	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
	at oracle.dbtools.http.cookies.auth.CookieSessionCSRFFilter.doFilter(CookieSessionCSRFFilter.java:71)
	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
	at oracle.dbtools.http.auth.AuthenticationFilter.authenticate(AuthenticationFilter.java:104)
	at oracle.dbtools.http.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:64)
	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
	at oracle.dbtools.url.mapping.RequestMapperImpl.doFilter(RequestMapperImpl.java:160)
	at oracle.dbtools.url.mapping.URLMappingBase.doFilter(URLMappingBase.java:92)
	at oracle.dbtools.url.mapping.filter.URLMappingFilter.doFilter(URLMappingFilter.java:140)
	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
	at oracle.dbtools.http.auth.external.ExternalSessionFilter.doFilter(ExternalSessionFilter.java:59)
	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)

thatJeffSmith-Oracle

please confirm the REST Web Service AND OAUTH2 client are all defined in the same schema

partlycloudy

Yes, they are. To confirm, I queried the USER_ORDS_CLIENTS, USER_ORDS_PRIVILEGES, USER_ORDS_PRIVILEGE_MAPPINGS, etc. views from that schema (edb)

thatJeffSmith-Oracle

and schema edb also has the module/template in USER_ORDS?

If so, i'm running out of ideas.

partlycloudy

Yes, all ORDS and OAUTH API calls were run in the same schema. The only thing is that the schema is aliased for REST access.

Yikes, if you're out of ideas, what are mere mortals like me to do!