-
Re: 401 Unauthorized on .NET calls to v3 API
I'd be surprised if Jive allowed you to authenticate using basic auth. Our company does federated auth with Jive hosted using SAML and ADFS so making programmatic connections is more complicated than simply setting the username and password on the web request. I think OAuth is an option too but I might be wrong. When you say your company does SSO, what technologies are involved? What's the user sign-in experience like when using the browser?
-
Re: 401 Unauthorized on .NET calls to v3 API
1 person found this helpfulIt is not possible to authenticate against the REST API as a federated user. The password stored in the Jive DB is some randomized value that has no relation to the password stored in the IDP.
The API is not SSO enabled.
Your best bet is to create a non-federated 'service acount' with full access admin rights, authenticate against the API with that service account, then use the run-as headers to execute your API calls as a specific user.
-
Re: 401 Unauthorized on .NET calls to v3 API
The "service account" strategy has been successful, and I can make API calls with its credentials. Thanks for the suggestion.
We're having a little trouble setting up Run-As, though. When I go to Admin Console->System->Management I see nothing but the audit log viewer. I assume I'm missing privileges or something; I should be able to see/modify System Properties, right?
-
-
Re: 401 Unauthorized on .NET calls to v3 API
As long as you can simulate the initial authentication process (again, curious how your company has SSO set up), you can hit the REST API as a federated user. As I mentioned before, our company uses ADFS which works internally with Windows integrated authentication. Setting the HttpWebRequest.UseDefaultCredentials property to true tells the HttpWebRequest to use my Windows credentials. Since our SSO process is a series of redirects between Jive and ADFS, we also set the HttpWebRequest.AllowAutoRedirect property to true as well so the request object will follow HTTP 302 redirects. The key is sharing a CookieContainer object between multiple HttpWebRequest objects by creating a CookieContainer and assigning it to the HttpWebRequest.CookieContainer property. That way, each subsequent request will include the Jive session cookies. Once you've completed the authentication process once, you can issue as many requests against the API as you want for the life of the Jive session without having to reauthenticate.
-
Re: 401 Unauthorized on .NET calls to v3 API
To be clear, John Larson is correct in stating that you can't perform the necessary authentication steps while hitting the REST API URLs. You have to perform authentication against a non REST API URL (we use the root of the site) and then once you have the Jive session cookies, you can hit the REST API.
-
Re: 401 Unauthorized on .NET calls to v3 API
In previous versions I solved this by adding an additional authentication filter via a plugin. That filter would examine the rest request for the SSO cookie. If found it would attempt to verify against the SSO endpoint and then cache the result. Since there was no session this accomplished having repeated calls without sessions and without every call going back to the SSO source.
This solution depends on a few things. Of course the plugin but also that the calls from the application include the necessary corporate SSO tokens, cookies, or whatever. But I found that it was low overhead and more appropriate in a corporate setting where the integration is expected and there is no end user approval process required.
I'm still looking at Jive 7 and the new API where some of this can be solved with addons if I can get them fully functional while air gapped (no cloud).
-
-
Re: 401 Unauthorized on .NET calls to v3 API
Is there a reason why you cannot use OAuth to authenticate with the REST API. I've successfully used this approach to work around the SSO/federated user restriction.
Happy to share my code if that is an option for you. It does require user interaction for the initial setup, so it might not be 100% perfect for server to server integrations, but it works like a charm once set up.
-
Re: 401 Unauthorized on .NET calls to v3 API
I can't think of a particular reason why OAuth shouldn't work; I wasn't sure if Jive supported that for the REST API.
-
Re: 401 Unauthorized on .NET calls to v3 API
They do. You'll have to use an authorization code grant (resource owner password will not work for SSO users in my experience) as described here: OAuth 2.0
You will have to create and install an add-on to use OAuth. Let me know if you run into issues with this, happy to schedule a call to share my approach.
-
Re: 401 Unauthorized on .NET calls to v3 API
The instructions for creating the add-on seem fairly straightforward, but I'm having trouble uploading the files for it.
I took the sample found attached to OAuth 2.0 and modified the service/redirect URLs to point at the web client I'm working on, but when I zip up the files again and try to upload I get the message "Jive package missing meta.json and definition.json". I tried changing the extension to .jive, and with both a blank id and the one found in the sample, but always get the same error. The files it's claiming are missing are clearly in the package with the right names.
I'm also a little unclear about the id field. It says a random ID will be generated for the add-on, but what should I input for the initial upload?
-
-
Re: 401 Unauthorized on .NET calls to v3 API
It's an exact copy of the one provided, with meta.json modified to the following:
{
"package_version": "1.0",
"minimum_version": "0070300000",
"id": "c12d0751-00da-986d-a46a-909996360a6f",
"type": "client-app",
"name": "OAuth 2.0 Client",
"description": "This add-on is to register an OAuth 2.0 Client",
"service_url": "http://mySite/JiveBrightideaTests/Test.html",
"redirect_url": "http://mySite/JiveBrightideaTests/Test.html",
"icon_16": "icon_16.png",
"icon_48": "icon_48.png"
}
-
Re: 401 Unauthorized on .NET calls to v3 API
You'll need to generate a new ID, with something like : Online GUID Generator
also, if you do not want to have other services with your add-on, then you'll need to make the "service_url" value just http: such that Jive doesn't try to kick back to your add-on to register.
Your redirect_url needs to be the URL in the OAuth dance, so make sure that the URL your redirect in your app logic matches the URL defined in this package.
Hope that helps.
-
Re: 401 Unauthorized on .NET calls to v3 API
So you just provide it with a random GUID? Shouldn't Jive be providing one for us so that it can guarantee uniqueness?
I'm not sure I understand what the service_url value is used for (I know how the redirect_url works, though). What's a "register call"? I see mentions in the documentation about using the "registerURL" to get information about the Jive instance, but it's optional. Should I just set the service_url to https://myCompany.jiveon.com or is it supposed to be related to the add_on I'm creating.
-
Re: 401 Unauthorized on .NET calls to v3 API
Given the way GUIDs work, it's unlikely that there would be a duplicate unless you intentionally set it. I think the requirements might change, once Jive allows 3rd party add-ons into the add-on registry.
My understanding of the service URL is that this is mainly for informational purposes (so that firewalls can be opened, etc if needed) as you can hardcode everything without having to use the service_url.
Our approach is that for our add-ons that use a backend service, all UI elements (pages, js, images) and all webservice endpoints live under that service_url.
-
Re: Re: 401 Unauthorized on .NET calls to v3 API
I'm still getting "Jive package missing meta.json and definition.json"
The message kind of suggests that the problem isn't the contents of either file, since it's complaining it can't even find them. I've attached what I'm trying to upload to this post.
-
Re: 401 Unauthorized on .NET calls to v3 API
1 person found this helpful*sigh*
I don't know who came up with this .jive extension crap.
The add-on needs to be a standard zip file.
Also the content needs to be in the root of the zip. In your example there is a oauth2extn folder in the zip that holds the content. This is wrong.
If you are using Windows do NOT zip the folder (it will create a subfolder in the zip), but create the zip from within your folder that holds the meta.json, etc.
That's the reason why your add-on does not work.
-
Re: 401 Unauthorized on .NET calls to v3 API
That did it. Thanks for the help.
I also had to delete the icon and .properties files, though, so the .zip ended up just containing meta.json and definition.json . (it was complaining that it couldn't create the other files, so I assumed they were to be generated and not provided)
-
-
Re: 401 Unauthorized on .NET calls to v3 API
Daniel,
Sorry to hear about your troubles, but could you clarify a few points here so that I can take them back to engineering/docs teams.
- Where did you get the oauth2extn.jive file and/or where did you read the file needed to be a .jive extension? All references I've seen say that a simple ZIP is needed, so want to know where you were led astray to get that corrected.
- Nils Heuer - could you shed some light on the .jive extension !*@!# you are referring to?
Hoping to help clarify to reduce future headache =\
RR
-
Re: 401 Unauthorized on .NET calls to v3 API
OAuth 2.0 The example I grabbed was from here
The ".jive" thing was from Getting Started > Building a Jive Add-On under Contents of the Jive Add-on Package where it says "Note: Although the Jive Add-on package is encoded as a standard ZIP file, we use the custom file extension ".jive" when naming the file."
-
Re: 401 Unauthorized on .NET calls to v3 API
Thanks Daniel, I've removed that reference in the file. Not sure if that was a pre-launch detail that changed, or someone playing a cruel joke ... but since I've been here...I have never seen a .jive extension file, and I am confident that we will not enforce this for add-ons moving forward.
K...I'll double check and review that ZIP to make sure it is up to date and relevant.
Thanks for the extra detail, and again, apologies for the disconnects here. =\
-
-
Re: 401 Unauthorized on .NET calls to v3 API
Would need to find it, but there are/were a few examples of documentation/posts where the extension for the add-on upload was suggested to be .jive. This is confusing as it's a standard zip file.
-
Re: 401 Unauthorized on .NET calls to v3 API
K I will try to find more references to .jive, but if you find them just share with me and I'll correct. Sorry for the confusion!
-
- Where did you get the oauth2extn.jive file and/or where did you read the file needed to be a .jive extension? All references I've seen say that a simple ZIP is needed, so want to know where you were led astray to get that corrected.
-
-
-
Re: 401 Unauthorized on .NET calls to v3 API
Daniel,
I updated the ZIP file to clean out some of the confusion (at least an attempt).
Currently, there isn't a service that generates these GUIDs, if there is a collision we will block the new add-on from being uploaded to the registry.
A service URL tells Jive where a Middleware service is running, that it can ping to complete the workflow of registering an Add-On, in the simple OAuth2 example, this should be set to http: to prevent Jive from trying to resolve and initiate an add-on registration workflow.
Normally a Redirect URL is on the same service; however, it doesn't have to be. In the example I updated on the OAuth 2.0 document, I decoupled these two fields (previously redirect_url started with %service_url%), as if you are simply creating an OAuth2 client for the clientID/Secret... chances are you do not have a middleware app that you need registered.
Let me know if this helps. I have submitted feedback on improving this process and clarity already, and that ticket is in a queue of work to be done.
RR
-
Re: 401 Unauthorized on .NET calls to v3 API
It does make things abit more clear.
One thing, though. When you say set it to http:, do you mean the entire value should be "http:" and nothing else, or do you mean the URL should be "http://someURL"?
-
Re: 401 Unauthorized on .NET calls to v3 API
Exact text. http: This allows it to pass URL required validation and not initiate the registration flow.
-
Re: 401 Unauthorized on .NET calls to v3 API
I don't suppose there's a way to change that (or the Redirect URL) without deleting the addon and uploading a new version?
Also, what is the point of letting us pass a redirect_uri in the beginning of the OAuth dance if it can be omitted and must match the one specified in our uploads meta.json anyway? I thought the one you registered the add-on with was just the default, but attempts to provide a different redirect_uri result in error.
-
Re: 401 Unauthorized on .NET calls to v3 API
The reason for the redirect Uri in the URL is that it is just the base call,you can add additional query parameters. For example we pass things like unique session ids to the redirect URL to like the oauth user to a jive app user.
Sent from my mobile phone
-
-
-
-
-
-
-
-
-
-
-
-