Obtaining auth ticket from OTDS using OTDS logon page (for IWA/SSO)

Nick O'Connor

Hi all,

My scenarios is as follows:
We have OTDS 10.5 and Content Server 10.5, and we have developed some RESTful webservices that sit independent of Content Server/OTDS. We also have a Javascript-only (no JSP/etc) client. We want to get IWA authentication (falling back to forms-based sign-on) using the OTDS login page (/otdsws/login?RFA=...) and then use the OTDSTicket in our calls to Content Server.

We have:

• setup a new Resource in OTDS called 'Webapp' and activated it
• assigned access to our domain users
• Content Server is already setup and working fine with OTDS
• we are using the ResourceID of the Webapp in teh RFA param (/login?RFA={webapp-resource-id}:/webapp/page/path) to authenticate, and hope to use it to obtain a ticket for Content Server using OTDS APIs.

I am able to redirect to the login page, authenticate using IWA (seemelessly) and bounce back to the Webapp page fine, however because the OTDSTicket is returned in an HttpOnly cookie, i cannot access it using javascript to authenticate for subsequent API calls, and XHR can't send the cookie (even using "withCredentials") due to security restrictions.

My question is: how do we access and use the OTDSTicket authentication ticket from a purely-javascript application?

Thanks,
Nick

Nick O'Connor

any thoughts or feedback? even if its not a solution as such?

the only path forward that i can see is to put a JSP page or MVC app between the static pages and the webservice calls, and dynamically pull the ticket from the cookie and apply to a variable in the page - but this is not an ideal approach for us.

Alex_Dowgailenko

Hello Nick,

I am not on the OTDS team and I'm certainly not an OTDS expert, but I have just done a small proof of concept for Infofusion in a similar scenario to yours. Here is how I got it working:

1. Visit local installation of webapp at "discoverer.lab.opentext.com"
2. web app pings a backend service via AJAX, gets a 401
3. user is directed to OTDS and logs in
4. user is directed back to the web app, which again pings the backend service via AJAX. The OTDSTicket will be sent along with this request
5. backend service verifies the OTDSTicket and sends back a 200 along with a separate session ID

There are a few things to note:

HttpOnly prevents manipulation/removal of the cookie via Javascript, but does not prevent the cookie from being sent along with AJAX requests. However, the domain flag will. In my scenario OTDS is installed on a server whose name is vcotds.lab.opentext.com and sets an OTDSTicket cookie with the domain flag equal to ".lab.opentext.com". This means this cookie is valid for *.lab.opentext.com domains.

So, as I mentioned, my own installation of the webapp is at discoverer.lab.opentext.com, which is mapped to 127.0.0.1 in my host file. The OTDSTicket is sent along with the AJAX request as expected.

I suspect that your problem is related to the domain flag. Ideally, you shouldn't really need to access the OTDSTicket in your JS code at all if all the business logic is on the server. Just make sure the server side knows how to make sure that an incoming request is from a valid user and if not, throw a 401 and have the web app redirect to OTDS whenever it encounters a 401.

Hope that helps!

Nick O'Connor

Hi Alex,

Thanks for the reply! That confirms my understanding of cookies and the HttpOnly option.

What i'm seeing (with jquery 1.9.1 and Chrome current) is that cookies with the same domain as my requesting site are still not accessible via javascript, and jquery is not sending it with the ajax requests.

For the meantime i'm resorting to using nginx to grab the cookie and put it in a response header so that i can access within the webapp (JS-only) - which is obviously contrary to the HttpOnly cookie security intent.

Thanks for the feedback - i'll keep looking into it.

Nick