Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I have a web project that needs to pull some data from a hosted versionone instance. The versionone instance uses SAML authentication for single sign-on. The single sign-on itself uses a username and pin+one-time password for authentication so it is nearly impossible to hard-code those values into the application.

Is there a way to handle this situation? Can I set something in the header of the request to bypass the single-signon process?

share|improve this question

1 Answer

up vote 1 down vote accepted

As of release 13.1, VersionOne supports OAuth2 for authentication against the API endpoints. Both the Webserver flow (where the hosted instance POSTs auth tokens to your waiting HTTP server) and the Out-of-band flow (where the hosted instance gives the user a code to copy/paste to the client) are supported.

That may be a better match for your requirements, as the SAML process is difficult to complete without a web browser and user present.

Once the OAuth2 credentials are obtained by the app, it can operate without user intervention. At any time, the user may revoke the app's permissions inside of VersionOne.

With OAuth2, the process is:

  1. Register your app with VersionOne, thus creating a client secret

  2. Configure the app with the client secret data from the registration

  3. Have the app request a permission grant, which sends you to the VersionOne server.

  4. Login to the server as the user you wish the app to act as, and accept the grant.

  5. Copy the grant code back to the app if using the out-of-band flow.

  6. The app contacts the VersionOne instance and exchanges the code for a persistent token.

  7. The app can apply the token as an "Authorization: Bearer " HTTP header to achieve access to the VersionOne endpoint

  8. If the token has expired and the request returns Unauthorized, the client may attempt to refresh the token and try again, without user intervention.

There is some documentation available on the VersionOne community site.

And a few (in-progress) examples in the VersionOne OAuth2 Examples repository

We also have a (beta) HTTP proxy that can run on your app's server, forwarding requests to the VersionOne instance after wrapping them with OAuth2 and SSL.

share|improve this answer
 
Does this work on hosted instances of versionone too? –  Vaishak Suresh Jun 12 at 18:44
 
If the instance has been upgraded, then yes it should. We'd like to know if it doesn't. –  Joe Koberg Jun 12 at 18:45
 
The instance is running VersionOne Ultimate Scrum Winter '13 (13.0.8.76). So OAuth2 would not work? –  Vaishak Suresh Jun 12 at 18:59
 
No, it wouldn't. But you may also upgrade your instance whenever it's convenient for your organization. –  Joe Koberg Jun 12 at 19:24

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.