I am trying to automate the Token Generation (Authorization code followed by Access/JWT Token) process which is then will be used to hit the APIc's/API's.
NOTE: I have used dumy domains/scope/redirect URI/parameters below for security reasons.
How to Generate the Tokens Manually: I was provided with the below URL to generate the Authorization code
Code Generation URL: https://sample.domain.com/affwebservices/public/saml2sso?SPID=testqaapi2p3&RelayState=response_type%3Dcode%26client_id%3DClient_ID_Value%26redirect_uri%3Dhttps://testqa3members.domain.com/ApiHandler/home%26scope%3DScope%20Value%26path%3Dtestqainternalpath3
When i hit this manually in a browser, popup appears and I provided the UserID (Ldap) and Password. After that it was redirected to different URLs and finally got the below URL which has the Authorization code.
https://testqa3members.domain.com/ApiHandler/home?code=AAIUVJbr29CUjCcWDvKWKBZDDcCtx5CQZsq9XpCpSd0FvAzLeLBJlAtG5C9ff6fr3m11Fp1Kez8E4dalL10GVg_kyjnsxYzRKEWQiraSIGo6bwVTd4zffqkLjXLsF5CRXqI
Steps I tried to Generate the Tokens using 'Apache httpclient':
- Step-1: Submit the "Code Generation URL" as a GET request by setting the "setCredentials"
- Step-2: Retrieve the list of Redirection URLs
- Step-3: Retrieve the Last Redirection URL
- Step-4: Submit a Post request with Last Redirection URL to get the Authorization Code
GET Code:
DefaultHttpClient httpclient = new DefaultHttpClient();
System.out.println("Adding Paramters to a Array List as NameValuePair");
List<NameValuePair> params = new ArrayList<NameValuePair>();
params.add(new BasicNameValuePair("SPID", "testqaapi2p3"));
//params.add(new BasicNameValuePair("RelayState", "response_type=code"));
params.add(new BasicNameValuePair("RelayState", "response_type=code&client_id=" + clientId + "&redirect_uri=" + redirectUrl + "&scope=" + scope + "&path=testqainternalpath3"));
System.out.println("Parameters List:" + params);
System.out.println("Building the URI with Authorization Endpoint by adding the Parameters create in Array List");
URI uri = new URIBuilder(authUrl)
.addParameters(params)
.build();
System.out.println("Built URI:" + uri);
httpclient.getCredentialsProvider().setCredentials(new AuthScope(null, AuthScope.ANY_PORT), new UsernamePasswordCredentials(userName, password));
System.out.println("Creating HTTPGET with the Created URI");
HttpGet get = new HttpGet(uri);
System.out.println("HttpGet:" + get);
System.out.println("Creating Client Context");
HttpClientContext context = HttpClientContext.create();
System.out.println("Created Client Context:" + context);
System.out.println("Executing the GET Method with the created Client Context");
HttpResponse response = httpclient.execute(get, context);
System.out.println("HttpResponse:" + response);
System.out.println("Getting the Final URI from the Submitted Get Method");
URI finalUrl = get.getURI();
System.out.println("Final URL:" + finalUrl);
System.out.println("Creating a List of URI from the Redirection Locations using Client Context");
List<URI> locations = context.getRedirectLocations();
System.out.println("List of URI:" + locations);
if (locations != null) {
finalUrl = locations.get(locations.size() - 1);
}
System.out.println("Taking the last URL as Final:" + finalUrl);
This is the last URL that i recived from the get requestReferer, Last Redirection URL: https://sample.domain.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=testqaapi2p3&RelayState=response_type%3Dcode%26client_id%3DClient_ID_Value%26redirect_uri%3Dhttps://testqa3members.domain.com/ApiHandler/home%26scope%3DScope%20Value%26path%3Dtestqainternalpath3&SAMLTRANSACTIONID=863d56e5-e9bd9485-85561bb7-a209c491-476bc279-298
POST Code:
HttpPost postReq = new HttpPost(finalUrl);
postReq.addHeader("Content-Type", "text/html");
postReq.addHeader("Content-Type", "application/x-www-form-urlencoded");
postReq.addHeader("User-Agent", "Mozilla/5.0 (Windows NT 6.1; rv:57.0)");
HttpResponse responsePost = httpclient.execute(postReq,context);
System.out.println("Post Response:" + responsePost);
OutPut: But I am getting a 500 - Internal Server Error for the Post Request HTTP/1.1 500 Internal Server Error [Date: Mon, 19 Feb 2018 08:05:12 GMT, Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2h-fips mod_jk/1.2.41, Content-Language: en, Content-Length: 1259, Connection: close, Content-Type: text/html; charset=utf-8] org.apache.http.conn.BasicManagedEntity@1147d0
My Analysis so Far: I tried seeing the requests being submitted using "Firefox" Browser and the Network Option in the Developers tool. What I saw is a Post Request is being submited with the "Last Redirection URL" to a Authorization Endpoint with the below Parameters. And a 302 status code is retrieved for the same with the code available in the Location Header (https://testqa3members.domain.com/ApiHandler/home?code=AAIUVJbr29CUjCcWDvKWKBZDDcCtx5CQZsq9XpCpSd0FvAzLeLBJlAtG5C9ff6fr3m11Fp1Kez8E4dalL10GVg_kyjnsxYzRKEWQiraSIGo6bwVTd4zffqkLjXLsF5CRXqI) with the Header X-Backside-Transport: FAIL FAIL as fail fail
Authorization Endpoint URL: https://testqaapi2.domain.com/testcare/testqainternalpath3/v3/auth/oauth2/samlauthorize
Headers: Referer: https://sample.domain.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=testqaapi2p3&RelayState=response_type%3Dcode%26client_id%3DClient_ID_Value%26redirect_uri%3Dhttps://testqa3members.domain.com/ApiHandler/home%26scope%3DScope%20Value%26path%3Dtestqainternalpath3&SAMLTRANSACTIONID=863d56e5-e9bd9485-85561bb7-a209c491-476bc279-298
Parameters: RelayState:response_type=code&client_id=Client_ID_Value&redirect_uri=https://testqa3members.domain.com/ApiHandler/home&scope=Scope+Value&path=testqainternalpath3
SAMLResponse:PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERl c3RpbmF0aW9uPSJodHRwczovL3FhYXBpMi5hZXRuYS5jb20vaGVhbHRoY2FyZS9xYWludHBhdGgz L3YzL2F1dGgvb2F1dGgyL3NhbWxhdXRob3JpemUiIElEPSJfODQ1NzEzYjc1MDQ1N2YzN2YyZjAw ZmFkZWRmMDk2NTQ3ZGMzIiBJc3N1ZUluc3RhbnQ9IjIwMTgtMDItMTlUMDg6MDQ6NTdaIiBWZXJz aW9uPSIyLjAiPg0KICAgIDxuczE6SXNzdWVyIHhtbG5zOm5zMT0idXJuOm9hc2lzOm5hbWVzOnRj OlNBTUw6Mi4wOmFzc2VydGlvbiIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6 bmFtZWlkLWZvcm1hdDplbnRpdHkiPkFldEhlYWx0aENh…zdGFudD0iMjAxOC0wMi0xOVQwODowNDo1N1oi IFNlc3Npb25JbmRleD0iWkVNcERvYndNK3M0OVU5S1lIdnY1ZGJNc0JBPXByRXo5dz09IiBTZXNz aW9uTm90T25PckFmdGVyPSIyMDE4LTAyLTE5VDA4OjA2OjI3WiI+DQogICAgICAgICAgICA8bnMy OkF1dGhuQ29udGV4dD4NCiAgICAgICAgICAgICAgICA8bnMyOkF1dGhuQ29udGV4dENsYXNzUmVm PnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9uczI6QXV0 aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICAgICAgICA8L25zMjpBdXRobkNvbnRleHQ+DQogICAg ICAgIDwvbnMyOkF1dGhuU3RhdGVtZW50Pg0KICAgIDwvbnMyOkFzc2VydGlvbj4NCjwvUmVzcG9u c2U+
My Enhancement to replicate the above:
List<NameValuePair> postParams = new ArrayList<NameValuePair>();
postParams.add(new BasicNameValuePair("RelayState", "response_type=code&client_id=" + clientId + "&redirect_uri=" + redirectUrl + "&scope=" + scope + "&path=qaintpath3"));
URI postURL = new URIBuilder("https://testqaapi2.domain.com/testcare/testqainternalpath3/v3/auth/oauth2/samlauthorize")
.addParameters(postParams)
.build();
HttpPost postReq = new HttpPost(postURL);
postReq.addHeader("Content-Type", "text/html");
//postReq.addHeader("Connection", "close");
postReq.addHeader("Referer", finalUrl.toString());
postReq.addHeader("Content-Type", "application/x-www-form-urlencoded");
postReq.addHeader("Connection", "keep-alive");
postReq.addHeader("User-Agent", "Mozilla/5.0 (Windows NT 6.1; rv:57.0)");
HttpResponse responsePost = httpclient.execute(postReq,context);
System.out.println("Post Response:" + responsePost);
OutPut: However, I am getting a 200 status code Insead of a 302 status. HTTP/1.1 200 OK [X-Backside-Transport: OK OK, ...]
Questions: 1. what is the SAMResponse that is being passed as a parameter above ? 2. why am i getting a 200 status with X-Backside-Transport: OK OK instead of a 300 status code with X-Backside-Transport: FAIL FAIL 3. am i missing something ?
Could anyone please help me with this ?
NOTE: Once i get the Authorization code i will use the Solution from this link (Issues with Generating Authorization code and User Token using Apache OAuth client 2.0 library in Java) to generate the Access/JWT Token to be use to hit the APIc's/API's