Oracle Mobile and Social 11g OAuth Code is Obtained Before Authentication is Complete (Doc ID 2242842.1)

Last updated on MARCH 16, 2017

Applies to:

Oracle Mobile and Social - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Symptoms

3-legged OAuth flow as follows:
1. curl -i -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -H 'Cache-Control: no-cache, no-store, must-revalidate' --request POST 'http://identity.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens' -d 'grant_type=client_credentials&client_id=App1&oracle_device_profile=<DEVICE_PROFILE>&oracle_requested_assertions=oracle-idm:/oauth/assertion-type/client-identity/mobile-client-pre-authz-code-client'

2. http://identity.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/authorize?client_id=App1&response_type=code&redirect_uri=http://test.com&oracle_requested_assertions=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&oracle_pre_authz_code=<FROM 1>

3. curl -i -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -H 'Cache-Control: no-cache, no-store, must-revalidate' --request POST 'http://identity.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens' -d 'grant_type=authorization_code&code=<FROM 2>&client_id=App1&redirect_uri=http://test.com&oracle_device_profile=<DEVICE_PROFILE>'

4. curl -i -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -H 'Cache-Control: no-cache, no-store, must-revalidate' --request POST 'http://identity.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens' -d 'grant_type=client_credentials&client_id=App1&oracle_requested_assertions=oracle-idm:/oauth/assertion-type/client-identity/mobile-client-pre-authz-code-access&oracle_device_profile=<DEVICE_PROFILE>'
Status: 200
{"expires_in":300,"token_type":"Bearer","oracle_tk_context":"pre_azc","access_token":"..."}

5. http://identity.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/authorize?client_id=App1&response_type=code&redirect_uri=http://test.com&scope=UserProfile.me&oracle_pre_authz_code=<FROM 4>

6. Request an Access Token
curl -i -H 'Accept: */*' --request POST 'http://identity.example.com:14100/ms_oauth/oauth2/endpoints/oauthservice/tokens' -d 'grant_type=authorization_code&client_id=App1&code=<###WHERE DOES THIS VALUE COME FROM###>&oracle_device_profile=<DEVICE_PROFILE>&client_assertion=<FROM 3>&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&redirect_uri=http://test.com'

In Step#2, a login page is displayed and a 'code' is generated after successful authentication. In customer's environment, this 'code' is generated before authentication can be completed.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms