I have been trying to use the VersionOne SDK.Net ObjectModel library with OAuth 2.0 authentication and have run into an issue. I am using ObjectModel 14.1.1.923 and APIClient 14.1.1.290 (latest from NuGet). I wrote and tested the code and it appeared to be able to use the rest-1.oauth.v1 endpoint successfully when executed from my Windows login. I tried running it from a TeamCity build agent service account (running as LocalSystem) however and got 403 errors from IIS. While I do not have administrative access to IIS, I have confirmed that the V1 web application extends read/write access to the Users group on my domain and that that group does include my computer account. I looked at the IIS logs, and although I am using the OAuth V1Instance constructor it appears that my computer account is listed as the requesting credentialed user with the rest-1.oauth.v1 GET request. This surprised me as I would have expected the OAuth request to be anonymous (like the requests to the meta.v1 endpoint are in the same log).
When tracing the request with Fiddler, I noticed that the Authorization scheme in the headers of the request generated by ObjectModel/APIClient is "Authorization: Negotiate <token>" rather than "Authorization: Bearer <token>" which is what I expected to say based on this documentation:
http://community.versionone.com/Developers/Developer-Library/Documentation/API/Security/Oauth_2.0_Authentication/Using_OAuth_2.0_for_Installed_Applications. Is it possible that this header is incorrect and the cause of my problem (enabling Windows Integrated Authentication to take precedence over the token-based authentication)?
Am I missing something obvious here? I thought the point of the OAuth mechanism was to allow my app to use the API without needing to execute with Windows credentials that have been granted explicit access to VersionOne.