Some tips to debug SSO solution without using GAM

Official Content

This document explains some details on the solution of HowTo: Implement SSO for applications that do not use GAM. You must first read the document and then download the xpz from here.

There is a difference between the cases where the communication is encrypted and those where request parameters are not encrypted.
It is advisable to initially try the example code without encrypting, in order to understand the full cycle.

When the communication is not encrypted, in the callback URL, the second parameter is code. Otherwise (when encrypted) it will be key.

  • When it is encrypted, the callback is the following:

http://<server>/<base_url>/oauth/gam/callback?gam=GRESTD4660bfb1-767e-4d6e-b509-a50787b11623&key=kv0q0LUJU2AU7tVrv59QT40tcyM6JF27d%2blQKVQbi0DP%2ffbY%2f18Q3sqiJD3gp921%2f0kyd9E8SIOhuhqXw5nMBChcZLeqroxEqhpNjTX7HSrIuWc9aBhoYHK48%2bnAp5o2y4xSSuh3IBJRZAYomr7IfFHdbnq3FpIWP%2fnNqwLhZAs%3d

The key contains an encrypted string, that contains the code when decrypted. The code obtained upon decrypting corresponds to the following part of the code:

if &IdentityProvider.IdentityProviderEncryptParameter
        &aParameterscharacter  = &aParameters.item(2)
        &aVar   = &aParameterscharacter.SplitRegEx(!"=")
        &aParameterscharacter = decrypt64(&avar.item(2),&IdentityProvider.IdentityProviderEncryptionKey.Trim())
        &aParameters = &aParameterscharacter.SplitRegEx(!"&")
        &par2 = &aParameters.Item(1)
        &aVar = &par2.SplitRegEx(!"=")
        
        msg(!"++++ " + &aVar.item(1), status) //This is the code.
    else ....

 

  • With no encryption, the callback may be seen in the trace, looking as follows:

http://<server>/<base_url>/oauth/gam/callback?gam=GRESTD7f4a2097-deeb-4eb8-8006-dd9fe7c65762&code=aae054fbac484385bcf31d32d311e012a0203c9931964ebfbc9a0d1e68c2e682

Note that, the signin with the scope "gam_user_additional_data" requires that you set the "Can get user additional data? = TRUE" in the Identity Provider server.

Tip

When using .NET, the ASP NET trace file proves quite useful to see the HTTP requests.
Without encryption, the log shows where the access token is requested, and the example code prints the access code:

Start HTTPClient buildRequest: requestUrl:http://localhost:80/ServerSTSGAM.NetEnvironment method:POST name:oauth/gam/access_token
2019-08-07 16:39:52,312 [32] DEBUG GeneXus.Http.Client.GxHttpClient - Start SendStream.Read: BytesRead 0
2019-08-07 16:39:52,365 [32] DEBUG GeneXus.Http.Client.GxHttpClient - Reading response...
2019-08-07 16:39:52,366 [32] DEBUG GeneXus.Http.Client.GxHttpClient - BytesRead 190
2019-08-07 16:39:52,367 [32] DEBUG GeneXus.Http.Client.GxHttpClient - BytesRead 0
2019-08-07 16:39:52,368 [32] DEBUG GeneXus.Http.Client.GxHttpClient - _responseString {"access_token":"2819262c-cdfd-4389-a1b3-b6548ec96add!ccc196897bf056509c4b9b8fe5b47b51aa47c482f378b44e4f9b8ec50b66a032c8675c48b430d3     ","token_type":"","expires_in":"","refresh_token":""}
2019-08-07 16:39:52,369 [32] INFO  GeneXus.Programs.aloginresponse - &AccessCode: aae054fbac484385bcf31d32d311e012a0203c9931964ebfbc9a0d1e68c2e682, &ResultHttpC={"access_token":"2819262c-cdfd-4389-a1b3-b6548ec96add!ccc196897bf056509c4b9b8fe5b47b51aa47c482f378b44e4f9b8ec50b66a032c8675c48b430d3     ","token_type":"","expires_in":"","refresh_token":""}, &ResultHttpError=      0.00-

Then you can see the POST to userinfo server:

Start Execute: method 'POST', name 'oauth/gam/userinfo'
2019-08-07 16:39:52,379 [32] DEBUG GeneXus.Http.GxWebSession - GetObject SessionId : ab4twcdyrejitzh4crx35ugk
2019-08-07 16:39:52,380 [32] DEBUG GeneXus.Http.Client.GxHttpClient - Start HTTPClient buildRequest: requestUrl:http://localhost:80/ServerSTSGAM.NetEnvironment method:POST name:oauth/gam/userinfo
2019-08-07 16:39:52,380 [32] DEBUG GeneXus.Http.Client.GxHttpClient - Start SendStream.Read: BytesRead 0
2019-08-07 16:39:52,451 [32] DEBUG GeneXus.Http.Client.GxHttpClient - Reading response...
2019-08-07 16:39:52,452 [32] DEBUG GeneXus.Http.Client.GxHttpClient - BytesRead 510
2019-08-07 16:39:52,452 [32] DEBUG GeneXus.Http.Client.GxHttpClient - BytesRead 0
2019-08-07 16:39:52,452 [32] DEBUG GeneXus.Http.Client.GxHttpClient - _responseString

See also

HowTo: Generate GAM trace