How to configure TIBCO Data Virtualization to use OAuth2 for a TDV Published web service?
Article ID: KB0070207
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | 8.6.x and higher |
Description
How to configure TIBCO Data Virtualization to use OAuth2 for a TDV Published web service
Issue/Introduction
How to configure TIBCO Data Virtualization to use OAuth2 for a TDV Published web service?
Resolution
1. Log in into the TDV (TIBCO Data Virtualization) Web Manager manager as an administrator.
2. Go to Security >> Domain Management, and click on the Add Domain button located at the bottom of the panel.
3. In the Add Domain dialog, select OAuth2 as the Type of the domain. Give the domain a name (e.g. oauth_domain).
4. Identify the OAuth2 Issuer (and optionally, the JWKS Uri).
If the OAuth2 provider supports the OpenID protocol, the easiest way to obtain this information is:
5. Configure the following fields
1. Name : Any name
2. Type : OAuth2
3. Issuer Value : Obtain this from the well-known metadata page as mentioned above.
4. Validation : Auto or JWKS URI. For the latter, enter the JWKS URI that is displayed in the well-known metadata page
5. Client ID : Obtain this from the OAuth2 provider's console.
6. Client Secret : Obtain this from the OAuth2 provider's console.
as shown in the example below.
6. Turn on OAuth2 authentication in the published web service as follows:
7. Obtain a Bearer Token.
For a TDV client application to be able to request the published web service URL (e.g. http://TIBCO-PF0UUJAC:9400/json/examples/ViewOrder), the client application must send a Bearer Token along with it's request.
A Bearer Token may be obtained from the OAuth2 provider's console. A third-party utility like curl may be also be used to obtain a Bearer Token, as shown in the example below.
Example
curl --request POST \
--url https://dev-8wezm1ocl2rs7xog.us.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"xFY4zUDT89MTdx3LQLiQNMRNBrdkkPiP","client_secret":"H-xMF4GjBGTxgMG1frUo9B9tCOr6uEGhxlldRhouka_hsfMqGjwdrybGIy681Aba","audience":"https://dev-8wezm1ocl2rs7xog.us.auth0.com/api/v2/","grant_type":"client_credentials"}'
8. The TDV client application can now request the published URL, including a Bearer Token as a HTTP Header of the type Authorization: Bearer.
Using curl as an example of a TDV client application, the request would use the following syntax.
SYNTAX: curl -H "Authorization: Bearer < put the token here>" < published web service endpoint URL>
NOTE:
1. If you run into an error "PKIX path building failed ...unable to find valid certification to the requested target is invalid" as shown below:
Add the IDP (in this case Auth0) certificate / chain of certificates to the TDV Server truststore file. (default is [TDV_Server_dir]\conf]server\security\cis_server_truststore.jks file) and restart TDV Server services for the changes to take effect.
2. If TDV returns an insufficient privileges error as shown below:
assign the user privileges to the published web service as below.
After this, results will be returned.
2. Go to Security >> Domain Management, and click on the Add Domain button located at the bottom of the panel.
3. In the Add Domain dialog, select OAuth2 as the Type of the domain. Give the domain a name (e.g. oauth_domain).
4. Identify the OAuth2 Issuer (and optionally, the JWKS Uri).
If the OAuth2 provider supports the OpenID protocol, the easiest way to obtain this information is:
- Open the OpenID well-known metadata page. The page may be accessed with a browser by constructing a url with the syntax https://<oauth server domain>/.well-known/openid-configuration.
- Search for the words "issuer" and "jwks_uri" on the page.
5. Configure the following fields
1. Name : Any name
2. Type : OAuth2
3. Issuer Value : Obtain this from the well-known metadata page as mentioned above.
4. Validation : Auto or JWKS URI. For the latter, enter the JWKS URI that is displayed in the well-known metadata page
5. Client ID : Obtain this from the OAuth2 provider's console.
6. Client Secret : Obtain this from the OAuth2 provider's console.
as shown in the example below.
6. Turn on OAuth2 authentication in the published web service as follows:
- If the resource has not yet been published as a TDV Web service, publish it.
- Set Enable HTTP Bearer to true in the published web service.
7. Obtain a Bearer Token.
For a TDV client application to be able to request the published web service URL (e.g. http://TIBCO-PF0UUJAC:9400/json/examples/ViewOrder), the client application must send a Bearer Token along with it's request.
A Bearer Token may be obtained from the OAuth2 provider's console. A third-party utility like curl may be also be used to obtain a Bearer Token, as shown in the example below.
Example
curl --request POST \
--url https://dev-8wezm1ocl2rs7xog.us.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"xFY4zUDT89MTdx3LQLiQNMRNBrdkkPiP","client_secret":"H-xMF4GjBGTxgMG1frUo9B9tCOr6uEGhxlldRhouka_hsfMqGjwdrybGIy681Aba","audience":"https://dev-8wezm1ocl2rs7xog.us.auth0.com/api/v2/","grant_type":"client_credentials"}'
8. The TDV client application can now request the published URL, including a Bearer Token as a HTTP Header of the type Authorization: Bearer.
Using curl as an example of a TDV client application, the request would use the following syntax.
SYNTAX: curl -H "Authorization: Bearer < put the token here>" < published web service endpoint URL>
NOTE:
1. If you run into an error "PKIX path building failed ...unable to find valid certification to the requested target is invalid" as shown below:
Add the IDP (in this case Auth0) certificate / chain of certificates to the TDV Server truststore file. (default is [TDV_Server_dir]\conf]server\security\cis_server_truststore.jks file) and restart TDV Server services for the changes to take effect.
2. If TDV returns an insufficient privileges error as shown below:
assign the user privileges to the published web service as below.
After this, results will be returned.
Feedback
Yes
No
Powered by
