OAuth1.0 token based authentication in webMethods

Hi All,

Kindly need your inputs on below issue,

We are trying to invoke an API provided by netsuite to PULL data, They have provided us the endpoint URL for invoking. They have asked us to use OAuth1.0 token based authentication.

I was trying to use wM inbuilt service pub.client:http for invoking this, however was not sure on token format/template to be used. In post man application when I try to invoke API to pull data, below fields are auto populated
OAuth realm
oauth_consumer_key
oauth_consumer_secret
oauth_token
oauth_token_secret
oauth_signature_method
oauth_timestamp
oauth_nonce
oauth_version

My understanding is there should be a way in wM where-in we can send this token but not sure on the format/template, could you please provide me your inputs on this.

image

Best Regards,
Sagar ks

Hi

Please send a header Authorization : Bearer .

This should work.

Hi Srikanth, Thanks for your response. I tried using Authorization:Bearer in pub.client:http, however still receiving error

image

Error : com.wm.net.NetException: [ISC.0064.9314] Authorization Required: Unauthorized

Could you please advice me if anything can be done here.

@sagar_ks , perhaps I sound a little fastidious but the Authorization Header is set to Bearer followed by the token , is that correct? I only ask because in the attached image I do not see it, may be you have intentionally not shown it.

You could also check the server logs /error logs for more information about the error.

-NP

I think bearer token is used for OAuth2.0 but not for OAuth1.0.

Hi

You would need to first generate token and then pass it as Bearer Token as Authorization. Seems like you are just passing it as Bearer during the API call.

For OAuth 1.0 or 1.0a (OAuth Core 1.0a):

  1. Use the Authorization scheme “OAuth”. (“Bearer” is for OAuth 2.0.)

  2. Pass parameters in one of three methods, in order of decreasing preference:

   i)   In the HTTP Authorization header as defined in OAuth HTTP Authorization Scheme.
   ii)  As the HTTP POST request body with a content-type of application/x-www-form-urlencoded.
   iii) Added to the URLs in the query part (as defined by [RFC3986] section 3).

The spec provides an example:

		Authorization: OAuth realm="http://sp.example.com/",
		oauth_consumer_key="0685bd9184jfhq22",
		oauth_token="ad180jjd733klru7",
		oauth_signature_method="HMAC-SHA1",
		oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
		oauth_timestamp="137131200",
		oauth_nonce="4572616e48616d6d65724c61686176",
		oauth_version="1.0"

IS does not directly support OAuth 1.0. If you populate the “auth” structure in the inputs to pub.client:http, it will not set the Authorization scheme to “OAuth”. Instead, you can either explicitly create an Authorization header as above and map in into the “headers” input to the pub.client:http, or you can put these parameters in the body of the request or as URL query parameters. See the pub.client:http documentation on how to do this. You may want to check with the owner of the remote server learn which formats they support.

2 Likes

Linking to another old OAuth 1.0 question , in case someone stumbles upon that one.
Usage of OAuth 1.0 in webMethods 9.7 - Forum - Software AG Tech Community & Forums

1 Like

Thanks Michael, i have all the parameters except Signature. Can you please help on generating the signature.

Thanks Nagendra but how do i generate the signature please

Since Integration Server does not directly support OAuth 1.x , I believe there are no services/APIs available in IS , I would see if anyone else in the forums has experience using OAuth 1.x .

-NP

I am not familiar with OAuth 1.0, so take this with a grain of salt. IS has a service for signing data - pub.security.keystore.pkcs7:sign - but that uses the PKCS7 message syntax and I see that OAuth 1.0 wants you to PKCS1. You’ll need to find a library that does PKCS1 and supports one of the algorithms that OAuth 1 uses (HMAC-SHA1, RSA-SHA-1).

https://datatracker.ietf.org/doc/html/rfc5849#section-3.4 explains how to format the data to be signed and how to include the signature in your request. Good luck.

Hi Sagar, Interesting why are you guys still dependent on OAuth1.0 rather than upgrade to 2.0? any limitations/challenges faced in your environment?

HTH,
RMG

Hi, we are ok to use OAuth2.0 but the source system from where are are consuming data (via http GET request) had directed us to use OAuth1.0.

Thanks,
Sagar ks

gotcha…thanks!

For OAuth2.0, What should be the re-direct uri to be configured. Our partner who’s providing the OAuth2.0 is asking for Redirect uri as they need to configure at their end.

Hi Suresh, Please review this article and it has all OAuth deep dive info:

HTH,
RMG

The redirection endpoint is something that you will create. It is part of your client application.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.