1 Reply Latest reply on Mar 7, 2019 11:29 AM by Vanja Keglević

    Auth flow for image gets

    roryg18

      Hi,

       

      I'm using

      Oracle 12.1.0.2.0

      ORDS 3.0.9.348.07.16

       

      I'm currently using the client_credentials flow to secure my endpoints. This all works perfectly when we can send the bearer token in the Authorization header but we have an issue where we need to retrieve images from a browser and can't send the token in the header.

      I know there's details in the docs here https://www.oracle.com/technetwork/developer-tools/rest-data-services/documentation/listener-dev-guide-1979546.html#acqu… but it's not obvious to me from there whether I need to use a different auth flow such as authorization_code or if I can achieve what I want without having to move away from the client_credentials flow.

       

      Is there some mechanism where I can include the oAuth2 bearer token in the URL, only for the handful of endpoints that are image GETs?

      So,

      curl -X GET \ https://mysite.com/image \ -H 'Authorization: Bearer ABC123..'

       

      Would become;

      curl -X GET \ 'https://mysite.com/image?access_token=ABC123..'

       

      At least that's the syntax that postman uses when I select 'Add authorization data to Request URL' vs 'Add authorization data to Request Headers'.

       

      Does the client credentials flow mean it's a third party app and NOT a user agent based app? Meaning you essentially shouldn't be accessing these resources from a browser so should always be able to include the Authorization header.

       

      Thanks,

      Rory

        • 1. Re: Auth flow for image gets
          Vanja Keglević

          Hi,

           

          As I see it, you have to authenticate to ORDS using OAuth2. How are you going to call the service is not important, as long as you're talking HTTP. With a simple GET from a browser I don't think you'll manage to call ORDS(if you have to authenticate using OAuth2), because you have to supply the Authorization header.

          Maybe try using basic authentication for images?