3 Replies Latest reply on Dec 8, 2015 4:10 PM by Erik Raetz

    oauth.create_client and oauth.update_client does not work with multiple privilege names

    Erik Raetz

      For our REST services we set up a number of privileges.

      Each privilege is set for a number of roles.

       

      We kind of have the same problem as described here: OAUTH Client with more than one privilege

       

      The OAuth package documentation (pdf) differs from the oauth package spec in the database.

      We are running ORDS 3.0.2.294.08.40 on Oracle Standard Edition 12.1.0.2.0.

       

      Test cases that run into issues:

       

      Create:

       

      Runs into exception because the privilege name table is not extended.

       

      begin  oauth.create_client(

            p_name => 'oauth shop',

            p_grant_type => 'client_credentials',

            p_privilege_names => 'shop,test',

            p_support_email => 'your@email.com');

      end;

       

      Update1:

       

      Runs into no exception but does nothing.

       

      declare

        l_privileges t_ords_vchar_tab := t_ords_vchar_tab();

      begin

        l_privileges.EXTEND(2);

        l_privileges(1) := 'shop';

        l_privileges(2) := 'test';

        oauth.update_client(

            p_name => 'oauth shop',

            p_owner => 'YOUROWNER',

            p_description => NULL,

            p_redirect_uri => NULL,

            p_grant_type => 'client_credentials',

            p_privilege_names => l_privileges);

      end;

       

      Update2:

       

      Runs into exception because the privilege name table is not extended.

       

      begin

        oauth.update_client(

            p_client_id => 10626,   

            p_name => 'oauth shop',

            p_editing_user => 'Editing User',

            p_allowed_origins => NULL,

            p_description => NULL,

            p_redirect_uri => NULL,

            p_support_email => 'your@email.com',

            p_support_uri => NULL,

            p_priv_names => 'shop,test');

      end;

       

      oauth.rename_client does not work aswell.

      It does nothing.

       

      We could not work around the issue by only using one privilege per client because there is a unique key constraint on uri patterns like '/shop/*' per ords enabled schema.

      That way it is impossible to create multiple privileges (each for a certain role) accessing the same uri pattern.

       

       

      Is that a known issue?

        • 1. Re: oauth.create_client and oauth.update_client does not work with multiple privilege names
          Colm Divilly-Oracle

          You can only have a single privilege per pattern, that is by design. Can you upload the exceptions that you are seeing.

          • 2. Re: oauth.create_client and oauth.update_client does not work with multiple privilege names
            Erik Raetz

            Having a pattern only once for a specific privilege is totally fine for us since you can have many roles for that privilege. The problem is that creating/updating oauth clients creates an error when more than one privilege is provided.

             

            Here is our problem simplified:

             

            Assume we have 2 privileges. Privilege 1 has two patterns and Privilege 2 has a different pattern.

             

            priv1:

            shop/pc/*

            shop/bc/*

             

            priv2:

            test/*

             

            Assume we have 2 roles.

             

            Role A has access to privilege 1 and 2.

            Role B only has access to privilege 1.

             

            Now we have a number of client applications that want to consume the services. Those applications are b2b client using oauth two-legged. Thus we use the client credential access flow.

             

            It is currently impossible to create a client that is of role A and has access to privilege 1 and 2. Because oauth.create_client() and oauth.update_client() will produce the following exception when called with comma seperated privileges.

             

            Test-case:

             

            begin

              oauth.create_client(

                p_name => 'test',

                p_grant_type => 'client_credentials',

                p_privilege_names => 'priv1,priv2',

                p_support_email => 'your@email.com'

              );

              commit;

            end;

             

            ORA-Error:

             

            ORA-06533: Index oberhalb der Grenze

            ORA-06512: in "ORDS_METADATA.OAUTH", Zeile 29

            ORA-06512: in "ORDS_METADATA.OAUTH", Zeile 340

            ORA-06512: in "ORDS_METADATA.OAUTH", Zeile 634

            ORA-06512: in Zeile 2

             

            Update Test-case:

             

            begin

              oauth.update_client(

                p_client_id => 10702,

                p_name => 'test',

                p_editing_user => USER,

                p_allowed_origins => NULL,

                p_description => NULL,

                p_redirect_uri => NULL,

                p_support_email => 'your@email.com',

                p_support_uri => NULL,

                p_priv_names => 'priv1,priv2'

              );

              commit;

            end;

             

            ORA-Error:

             

            ORA-06533: Index oberhalb der Grenze

            ORA-06512: in "ORDS_METADATA.OAUTH", Zeile 29

            ORA-06512: in "ORDS_METADATA.OAUTH", Zeile 154

            ORA-06512: in Zeile 2

             

            If you call the oauth.create_client or the oauth.update_client with either privilege name being NULL or only one privilege it will work.

            • 3. Re: oauth.create_client and oauth.update_client does not work with multiple privilege names
              Erik Raetz

              After some more try/error we found a solution for our problem!

               

              According to the documentation you have to set a privilege name when you create a client. But OAuth clients that get access via client credential access flow do not need any privileges. Thus we create clients with privilege names set to NULL now.

               

              What we do is grant the client a specific role which is defined for specific privileges.

               

              Here is why we did not catch the issue earlier. The token you generate for a client is linked to privileges given to the client at the time the token is generated.

               

              We updated client privileges and used the same token expecting different result which was not the case. The rights are bound to the token upon token creation.

               

              We found out about that today and tested oauth two-legged clients (with client_credential access flow) with no privileges given and only with granted roles. Since the granted roles have privileges everything is working as expected.

               

              Still leaves the ORA-Error when providing comma seperated privilege names to oauth.create_client and oauth.update_client.

               

              But our underlying problem is solved.

               

              For completion. Here is an example script which solves our problem:

               

              --create roles

              begin ords.create_role('role.shop'); end;

              begin ords.create_role('role.test'); end;

              --create shop privileges, patterns and roles

              declare

                l_roles owa.vc_arr;

                l_patterns owa.vc_arr;

              begin

                l_roles(1) := 'role.shop';

                l_roles(2) := 'role.test';

                l_patterns(1) := '/shop/pk/*';

                l_patterns(2) := '/shop/gk/*';

                ords.define_privilege(

                  p_privilege_name => 'priv.shop',

                  p_roles => l_roles,

                  p_patterns => l_patterns,

                  p_label => 'Shop privileges',

                  p_description => 'Shop privileges'

                );

              end;

              --create test privileges, patterns and roles

              declare

                l_roles owa.vc_arr;

                l_patterns owa.vc_arr;

              begin

                l_roles(1) := 'role.test';

                l_patterns(1) := '/test/*';

                ords.define_privilege(

                  p_privilege_name => 'priv.test',

                  p_roles => l_roles,

                  p_patterns => l_patterns,

                  p_label => 'Test privileges',

                  p_description => 'Test prileges'

                );

              end;

              --create shop client

              begin 

                oauth.create_client(

                  p_name => 'oauth.shop',

                  p_grant_type => 'client_credentials',

                  p_privilege_names => NULL,

                  p_support_email => 'your@email.com'

                );

              end;

              --create test client

              begin 

                oauth.create_client(

                  p_name => 'oauth.test',

                  p_grant_type => 'client_credentials',

                  p_privilege_names => NULL,

                  p_support_email => 'your@email.com'

                );

              end;

              --grant client roles

              begin oauth.grant_client_role('oauth.shop', 'role.shop'); end;

              begin oauth.grant_client_role('oauth.test', 'role.test'); end;

              commit;


              After doing that the access token for the oauth.test client and has access to

              - /shop/pk/*

              - /shop/gk/*

              - /test/*


              The access token for the oauth.shop client has access to

              - /shop/pk/*

              - /shop/gk/*



              1 person found this helpful