Layer7 API Management

We are trying to register a device using the client credentials flow as specified in: Configure Device Registration - CA Mobile API Gateway - 4.1 - CA Technologies Documentation .

Android Guides | CA Mobile App Services 

There ins't much information on how to do that in the code itself, the only information I found is about the scope required and to call 'MAS.setGrantFlow(MASConstants.MAS_GRANT_FLOW_CLIENT_CREDENTIALS);'.

This is what I tried:

1. Created a client application with the scopes: oob msso_client_register mas_messaging mas_storage mas_identity_retrieve_users phone profile address email user_role
2. Use the followings commands:
   • MAS.setGrantFlow(MASConstants.MAS_GRANT_FLOW_CLIENT_CREDENTIALS);
   • MASUser.login(email, password.toCharArray(), new MASCallback<MASUser>() {...

After that i get this error:
com.ca.mas.foundation.MASException: register_device response did not include exactly one ID token and ID Token type header.

Any ideas?

Hi Eduardo,

At a first glance, I can say that you're attempting to login a user via username/password (via MASUser.login). This is not necessary for Client Credentials flow.  As stated in our Mobile SDK for Android guidelines, MAS_GRANT_FLOW_CLIENT_CREDENTIALS authentication will be done against the registered client.  The Mobile SDK will take care of the authentication flow when you send a request to a protected endpoint. 

Have you checked our Android sample app for reference? It will demonstrate how to build a simple app using our SDK and login a user using the Password Flow, which seems to be your intent. Download it via GitHub - CAAPIM/Sample-App-MAS-Android-Login-User-Authentication-And-Authorization. Also, this video explains the major difference between the two flows.

I hope this helps.

Carina Ramello

Sr Product Owner

Hi Carina, thank you for your answer. Actually what we are trying to do is a kind of 'hybrid' approach. We want to use have some proteced apis that should be available just throught client authentication and some other ones that will require user login.
We think that should be possible because of this section of documentation:

"For MAS_GRANT_FLOW_CLIENT_CREDENTIALS, the Mobile SDK always guarantees that the library is authenticated against the client. In this scenario, entering the username and password is not required; however, if you would like to manage user access for a certain feature, you can overwrite the client authenticated session with user authentication."

How can we "overwrite the client authenticated session with user authentication."?

Thanks,
Eduardo Oliveira

Hi Eduardo,

It looks like that you are missing some scopes; perhaps try to add "msso" and "openid" scopes in your client, and try it again if that error goes away.

Also, looks like you are using Android SDK, so I will coordinate with Android SDK Engineer to confirm what and when it will throw that exception.

To answer your question in regards to the authentication with client credentials flow, for both iOS and Android SDK, yes, your understanding is correct for this 'hybrid' approach.  Basic rule is that, if you set the grant flow to Client Credentials, you can invoke any API without performing any authentication; Mobile SDK will take care if the client device registration/authentication is not done, it will perform the device registration and client authentication by itself.  For certain API, you may want to restrict the access to the API for user authenticated session.

For those APIs, you can accomplish with few ways, but I will only explain from the Mobile Client SDK perspective.

1. You can check if MASUser currentUser exists or not to make sure whether user is authenticated prior to making API request or not.

2. In Android SDK only, I believe that you should be able to specify whether request is to be made as Client Credentials or Password.  You can use MASRequestBuilder and look for password() or clientCredential() Android-MAS-SDK/MASRequest.java at Stable · CAAPIM/Android-MAS-SDK · GitHub .  If you are setting the flow to password, you should also be aware that Mobile SDK will invoke authentication listener to obtain user credentials in order to proceed the request with password flow.  

Please let me know if you have any further question or concern.

Thanks,

Worked! Thanks!

One more question, actually i don't know if i should open another item for this..
After the device was registered through client credentials flow, i use the MASUser.login to overwrite the session and then i tried to use MASProximityLoginQRCode.authorize but i am getting an error:
Response code: 401
Response message: Unauthorized
Response content: {
"error": "login_required",
"error_description": "The resource owner could not be authenticated due to missing or invalid credentials"
}

Debugging the api 'auth/device/authorize' on MAG I was able to identify that this because of the following steps:

There is a particularly reason for that? What do you guys recommend? I don't feel very comfortable editing the API, since it as a part of the product.

Thanks,

Eduardo Oliveira

Hi Eduardo,

When we talk about proximity login, keep in mind that we will always have two parties involved.

1. The device that was already registered and authenticated, and the one that will authorize other devices.

2. The device that was not registered and authenticated, and waiting for other devices to authorize itself.

For a simplicity, I will call #1 as authorizing device, and #2 as authenticating device.

I am not exactly sure how you are trying to do the proximity login, but the expected flow is as follow:

1. Authorizing device should be authenticated against user credentials 

2. Authenticating device should not be authenticated or registered at the moment, and the OAuth client of the authenticating device should register "msso_register" scope if the device was not registered.

3. Authenticating device will display the QR Code from the MASAuthenticationProvider object which has identifier "qrcode".

4. Authorizing device will scan the QR Code, and will invoke the content of QR code (which should be URL format), if the payload is passed to MASProximityLoginQRCode.authorize.

5. If the result of MASProximityLoginQRCode.authorize is 200, authenticating device should be able to retrieve the authorization code which can be consumed to register the device, or authenticate the user.

Of course, for the authenticating device, there are a lot of things that you need to prepare such as setting polling interval, displaying the QR code with limits, and etc; however, if you use MASUI framework for your solution, all of these from authenticating device perspective should simply be handled through default login screen.

This is high level overview of QR Code proximity login.  I am not entirely sure if you were scanning QR code and invoking MASProximityLoginQRCode.authorize with the device which was authenticated and registered as client credentials, but if that's the case, then that's probably the wrong approach for the QR Code Proximity Login.

Please elaborate little bit more on how you were trying to establish this QR Code proximity login, so that I can pinpoint where the problem is.

Thanks, 

Hi, I think I understood the concept and I was able to implement using the password flow. I am having trouble specificaly when using the MAS_GRANT_FLOW_CLIENT_CREDENTIALS.

My problem is on the step number 5 when I invoke MASProximityLoginQRCode.authorize I get a 401.

On the first call to MAG, after the installation of the app, it creates a registritation of the device. That is available to inspect at https://{magurl}:8443/mag/manager.

When I use the password flow this registration is associated with a user, when I use the client credentials flow this registration is associated with the client application.
This registration only occurs once.

My 'Authorizing device' was registered with the client credentials flow.

I log in on the 'Authorizing device' using user credentials and tried to authorize the url generate in the 'Authenticating device'.
The url is like: https://{magurl}:8443/auth/device/authorize?sessionID={sessionID}. I always get the 401

Inspecting the api 'auth/device/authorize' on the policy manager i found these steps:

It seems that it checks if the user logged in on the 'Authorizing device' is the same as the cn registered for that device. That Will never happend since the device was registered associate whith a client application and not a specific user. That could be a problem when using the password flow too, that could occur in scenarios with multiple user support.

Thanks for your help,

Eduardo Oliveira

Good afternoon,

Were you able to resolve the issue? What was the final result?

Sincerely,

Stephen Hughes
Broadcom Support

Hi Stephen, at this moment the solution was to update the policy. But we are not comfortable with that solution.

Hi Eduardo,

Our MAG/OTK solution is designed to perform Proximity Login (QR Code) only for those session that was registered with user credentials or other authentication providers (such as Google or Facebook).

Since Client Credentials Grant Flow is not associated with any user related profile, it is as per design that CC Grant Flow can't perform Proximity Login out of the box.

Please let me know if you have any further question or concern.

Thanks,