Invalid access_token while using IDP

anjingjing · July 5, 2018, 7:34am

Hi,
My system using IDP, I have IDP userCenter, and a business server which using the IDP login of userCenter.

I am testing using Postman, I can get a token from ucenter using /oauth/token; and I want to use this token to run POST api of business server, but the business server seems does not recoganize the token.

Could you help check any steps wrong there?

My token:

{
    "access_token": "f75eb338-dadd-c91e-39bf-5d3186346e1c",
    "token_type": "bearer",
    "expires_in": 604799,
    "scope": "rest-api"
}

My Postman snapshot
token

I got below reply:

{
    "error": "invalid_token",
    "error_description": "Invalid access token: 04429cb4-3978-3607-9be1-74992fff52cf"
}

While I try http://59.110.47.40:8082/huayou001?idp_ticket=04429cb4397836079be174992fff52cf in chrome, it works fine.

I change authorization to bearer token, still fails(entered a new token this time)
token2

My updates 6th time:
I use IDP url to get token, and use it on service provider url, not successful.
I tried to get token directly from service provider url, it is sucessful.

But service provider should acknowlege the token get from IDP url, no? Or how to?

artamonov · July 9, 2018, 6:53am

Hi,

IDP does not work this way for REST-API. It requires a special token obtaining procedure from client.

The authentication process is the following:

Client should be redirected to IDP authentication form using http://service-provider/rest/v2/idp/login URL
IDP will redirect user back to service provider after successful authentication with special URL parameter: #idp_ticket=<ticket>
HTML page should POST this <ticket> to http://service-provider/rest/v2/idp/token in order to get REST-API token.

After that it can use REST-API as logged in user.

See the complete demo project with custom HTML page: GitHub - cuba-labs/idp-rest-demo: CUBA Platform application with REST-API and IDP login

JS Application URL: http://localhost:8080/app/VAADIN/demo/idp-login-demo.html

See also: https://youtrack.cuba-platform.com/issue/PL-9551

anjingjing · July 9, 2018, 8:58am

Thanks Yuriy.
Are you talking about Cuba latest version like 6.8 or 6.9? I am using 6.6.4. I heard that there are big difference reagarding idp in Cuba new version, so I did not upgrade my project to cuba latest version, my project rely much on old idp solution.

rest/v2/idp/login does not work in my project with http 404 error.
rest/v2/oauth/token works in my side, and I can invoke rest api with the token returned by rest/v2/oauth/token.

artamonov · July 9, 2018, 9:22am

IDP support for REST has been introduced in 6.7 release

artamonov · July 9, 2018, 1:32pm

By the way, there were no big differences in IDP but in Login subsystem. If you have not extended LoginService there must be no breaking changes for you. So, I’d recommend that you try to update your project with Studio and see how it goes.

anjingjing · July 9, 2018, 2:11pm

that’s good news. I will try. Thanks for telling this.

dserikov07 · December 19, 2022, 5:49am

Hey, I got this token but with this token I can’t access rest services of another app, can you please help, in the topic more detailed.