Forum Stats

  • 3,770,500 Users
  • 2,253,127 Discussions
  • 7,875,486 Comments

Discussions

OAuth token - 401 Unauthorized

24

Answers

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,094 Employee

    here's another in-depth example showing exactly what to do

    https://blogs.oracle.com/developers/microservices-the-easy-way-with-ords-and-micronaut-part-1


    ords 19.4 is a year+ old, but nothing's changed here in this area - just saying

  • partlycloudy
    partlycloudy Member Posts: 8,077 Silver Trophy

    OK I followed the steps in that in-depth example but I still get the same error.

  • partlycloudy
    partlycloudy Member Posts: 8,077 Silver Trophy
    edited Feb 15, 2021 7:45PM

    Here is the code I used. It ran with no errors. Then I queried user_ords_clients and used the curl command you suggested to get the Bearer token but still got the 401 error

    What am I missing?

    begin
      ORDS.create_role(
        p_role_name => 'role_0215'
      );
    
      ORDS.create_privilege(
          p_name        => 'priv_0215',
          p_role_name   => 'role_0215',
          p_label       => 'EMP Data',
          p_description => 'Allow access to the EMP data.');
    
      ORDS.create_privilege_mapping(
          p_privilege_name => 'priv_0215',
          p_pattern        => '/hr/*');     
    
    OAUTH.create_client(
        p_name            => 'client_0215',
        p_grant_type      => 'client_credentials',
        p_owner           => 'My Company',
        p_description     => 'Test REST',
        p_support_email   => '[email protected]',
        p_privilege_names => 'priv_0215'
      );
    
    OAUTH.grant_client_role(
        p_client_name => 'client_0215',
        p_role_name   => 'role_0215'
      );
    
    commit;
    end;
    
  • partlycloudy
    partlycloudy Member Posts: 8,077 Silver Trophy
    edited Feb 16, 2021 1:33PM

    I enabled debug on my ORDS config and here is what I get in Chrome/Postman. I am not sure I understand how oracle.dbtools.oauth.client.application and [Oauth2 client application] role is involved here. The URL I am POST-ing to in Postman is https://server.domain.com/ords/schema-name/oauth/token

    Any ideas? @thatJeffSmith-Oracle



  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,094 Employee

    Can you include the entire trace stack?


    Also, instead of using postman, can you just try with cURL - it's harder to make mistakes in cURL - by checking some option or something incorrectly...

  • partlycloudy
    partlycloudy Member Posts: 8,077 Silver Trophy

    Here you go


    curl -i -k 'https://[obfuscated]/apex/edb/oauth/token' --user client_id:client_secret --data 'grant_type=client_credentials' -w "%{http_code}" 



    Debug Trace

     is not authorized to access: oracle.dbtools.oauth.client.application
     does not have any of the required roles: AnnotationPrivilegeConstraint [name=oracle.dbtools.oauth.client.application, roles=[OAuth2 Client Application], challenges=[]]
    [TE] POST /apex/edb/oauth/token start: 2021-02-16T15:29:17.187Z duration: 32ms
    
    		
    

    Stack Trace

    UnauthorizedException [statusCode=401, reasons=[]]
    	at oracle.dbtools.http.auth.RequestAuthorizationProvider.authorize(RequestAuthorizationProvider.java:151)
    	at oracle.dbtools.http.auth.AuthorizationDispatchHook.before(AuthorizationDispatchHook.java:40)
    	at oracle.dbtools.http.dispatch.hooks.DispatchHookChain.before(DispatchHookChain.java:34)
    	at oracle.dbtools.http.dispatch.hooks.DispatchHooks.before(DispatchHooks.java:49)
    	at oracle.dbtools.http.entrypoint.Dispatcher.dispatch(Dispatcher.java:122)
    	at oracle.dbtools.http.entrypoint.EntryPoint$FilteredServlet.service(EntryPoint.java:239)
    	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:73)
    	at oracle.dbtools.http.forwarding.QueryFilteringRewrite.doFilter(QueryFilteringRewrite.java:90)
    	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
    	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
    	at oracle.dbtools.http.forwarding.ForwardingFilter.doFilter(ForwardingFilter.java:68)
    	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
    	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
    	at oracle.dbtools.http.cors.CORSPreflightFilter.doFilter(CORSPreflightFilter.java:68)
    	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
    	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
    	at oracle.dbtools.http.cookies.auth.CookieSessionCSRFFilter.doFilter(CookieSessionCSRFFilter.java:71)
    	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
    	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
    	at oracle.dbtools.http.auth.AuthenticationFilter.authenticate(AuthenticationFilter.java:104)
    	at oracle.dbtools.http.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:64)
    	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
    	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
    	at oracle.dbtools.url.mapping.RequestMapperImpl.doFilter(RequestMapperImpl.java:160)
    	at oracle.dbtools.url.mapping.URLMappingBase.doFilter(URLMappingBase.java:92)
    	at oracle.dbtools.url.mapping.filter.URLMappingFilter.doFilter(URLMappingFilter.java:140)
    	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
    	at oracle.dbtools.http.filters.FilterChainImpl.doFilter(FilterChainImpl.java:64)
    	at oracle.dbtools.http.auth.external.ExternalSessionFilter.doFilter(ExternalSessionFilter.java:59)
    	at oracle.dbtools.http.filters.HttpFilter.doFilter(HttpFilter.java:47)
    


  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,094 Employee

    please confirm the REST Web Service AND OAUTH2 client are all defined in the same schema

  • partlycloudy
    partlycloudy Member Posts: 8,077 Silver Trophy
    edited Feb 16, 2021 5:02PM

    Yes, they are. To confirm, I queried the USER_ORDS_CLIENTS, USER_ORDS_PRIVILEGES, USER_ORDS_PRIVILEGE_MAPPINGS, etc. views from that schema (edb)

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,094 Employee

    and schema edb also has the module/template in USER_ORDS?

    If so, i'm running out of ideas.

  • partlycloudy
    partlycloudy Member Posts: 8,077 Silver Trophy

    Yes, all ORDS and OAUTH API calls were run in the same schema. The only thing is that the schema is aliased for REST access.

    Yikes, if you're out of ideas, what are mere mortals like me to do!