OAuth 2.0 with VersionOne SDK.Net ObjectModel library
78 views
Skip to first unread message
Nathan Banek
Oct 14, 2014, 6:43:16 PM10/14/14
to version...@googlegroups.com
I have been trying to use the VersionOne SDK.Net ObjectModel library with OAuth 2.0 authentication and have run into an issue. I am using ObjectModel 14.1.1.923 and APIClient 14.1.1.290 (latest from NuGet). I wrote and tested the code and it appeared to be able to use the rest-1.oauth.v1 endpoint successfully when executed from my Windows login. I tried running it from a TeamCity build agent service account (running as LocalSystem) however and got 403 errors from IIS. While I do not have administrative access to IIS, I have confirmed that the V1 web application extends read/write access to the Users group on my domain and that that group does include my computer account. I looked at the IIS logs, and although I am using the OAuth V1Instance constructor it appears that my computer account is listed as the requesting credentialed user with the rest-1.oauth.v1 GET request. This surprised me as I would have expected the OAuth request to be anonymous (like the requests to the meta.v1 endpoint are in the same log).
When tracing the request with Fiddler, I noticed that the Authorization scheme in the headers of the request generated by ObjectModel/APIClient is "Authorization: Negotiate <token>" rather than "Authorization: Bearer <token>" which is what I expected to say based on this documentation: http://community.versionone.com/Developers/Developer-Library/Documentation/API/Security/Oauth_2.0_Authentication/Using_OAuth_2.0_for_Installed_Applications. Is it possible that this header is incorrect and the cause of my problem (enabling Windows Integrated Authentication to take precedence over the token-based authentication)?
Am I missing something obvious here? I thought the point of the OAuth mechanism was to allow my app to use the API without needing to execute with Windows credentials that have been granted explicit access to VersionOne.
When tracing the request with Fiddler, I noticed that the Authorization scheme in the headers of the request generated by ObjectModel/APIClient is "Authorization: Negotiate <token>" rather than "Authorization: Bearer <token>" which is what I expected to say based on this documentation: http://community.versionone.com/Developers/Developer-Library/Documentation/API/Security/Oauth_2.0_Authentication/Using_OAuth_2.0_for_Installed_Applications. Is it possible that this header is incorrect and the cause of my problem (enabling Windows Integrated Authentication to take precedence over the token-based authentication)?
Am I missing something obvious here? I thought the point of the OAuth mechanism was to allow my app to use the API without needing to execute with Windows credentials that have been granted explicit access to VersionOne.
Acey Bunch
Oct 15, 2014, 7:09:47 AM10/15/14
to version...@googlegroups.com
Unfortunately neither the .NET Object Model nor the NET.SDK (API Client) support the use of OAuth. In addition, the Object Model has been sunset, and while still supported, will never be updated.
Your best option for using OAuth in your application at this point is through direct HTTP requests. The topic that you provide the link for describes how to construct the HTTP requests to do this.
Nathan Banek
Oct 15, 2014, 11:03:56 AM10/15/14
to version...@googlegroups.com
That's surprising since both have constructors that take OAuth credentials (which appear to work at least partially). Was this a shift in direction from earlier plans for those APIs?
Also disappointing to learn ObjectModel has been sunset - I did not see this on the Github site or the Nuget site, but maybe overlooked it. It is unfortunate, as I have written 5+ tools and integrations for my team over the past several years spanning a variety of needs that all depend upon those APIs, so I'm not too excited about a rewrite of all of those. Can you provide any ideas as to the timeframe (expected V1 release) when ObjectModel will no longer function - I am currently able to use them with the Summer '14 update to V1 Ultimate.
Before I read your reply I ran a test at the beginning of my application's execution in an attempt to see if ObjectModel was my only issue. I used the VersionOneApiConnector class (with OAuth) from APIClient to perform one of the queries that the tool executes later in the code. Not only did this query succeed, but its execution somehow seemed to fix all of the subsequent queries (using a separately constructed ObjectModel V1Instance with OAuth) effectively working around the problem I experienced. I have not looked at the APIClient code or ObjectModel code yet so I don't know how to explain this, but this at least gives me some time. Something, it appears I will now need a lot of if I am going to have to rewrite all my tools to stop using ObjectModel (and maybe APIClient too).
I hope you all will reconsider support for OAuth in APIClient and ideally support for ObjectModel as well.
Also disappointing to learn ObjectModel has been sunset - I did not see this on the Github site or the Nuget site, but maybe overlooked it. It is unfortunate, as I have written 5+ tools and integrations for my team over the past several years spanning a variety of needs that all depend upon those APIs, so I'm not too excited about a rewrite of all of those. Can you provide any ideas as to the timeframe (expected V1 release) when ObjectModel will no longer function - I am currently able to use them with the Summer '14 update to V1 Ultimate.
Before I read your reply I ran a test at the beginning of my application's execution in an attempt to see if ObjectModel was my only issue. I used the VersionOneApiConnector class (with OAuth) from APIClient to perform one of the queries that the tool executes later in the code. Not only did this query succeed, but its execution somehow seemed to fix all of the subsequent queries (using a separately constructed ObjectModel V1Instance with OAuth) effectively working around the problem I experienced. I have not looked at the APIClient code or ObjectModel code yet so I don't know how to explain this, but this at least gives me some time. Something, it appears I will now need a lot of if I am going to have to rewrite all my tools to stop using ObjectModel (and maybe APIClient too).
I hope you all will reconsider support for OAuth in APIClient and ideally support for ObjectModel as well.
Acey Bunch
Oct 15, 2014, 12:36:09 PM10/15/14
to version...@googlegroups.com
You are right, I stand corrected. OAuth was added to the .NET API Client in the Winter 2014 Release 14.0, but it was not added to the Object Model.
OM sunset was announced in the Spring 2014 Release 14.1, and the sunset policy is that it will be supported for one year after announcement.
--
You received this message because you are subscribed to the Google Groups "VersionOne-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
versionone-de...@googlegroups.com.
To post to this group, send email to
version...@googlegroups.com.
Visit this group at http://groups.google.com/group/versionone-dev.
For more options, visit https://groups.google.com/d/optout.
Nathan Banek
Oct 15, 2014, 1:27:33 PM10/15/14
to version...@googlegroups.com
I'm glad to hear the API Client support for OAuth is there at least. I overlooked the announcement in the Sprint 2014 release notes, but have since found it.
To post to this group, send email to versio...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages