Configuring OAuth 2.0 for TIBCO JasperReports® Server

Code and Implementations

OAuth 2.0 implementations using Apache Oltu are available at the following repo:

https://github.com/UCLALibrary/jasperserver-oauth-saml

Links below refer to JRS 6.4, if you need it for an older version, go to the root of the repo and find the version you need.

Please note, the 7.5 folder in that same repo only updates the SAML customization.

The current implementation uses the Authorization Grant Code Flow.

OAuth 2.0 Primer

A primer on the OAuth 2.0 specification and Authorization Grant Code Flow is recommended. 

Please see the following links for more information:

https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

http://tutorials.jenkov.com/oauth2/index.html

https://en.wikipedia.org/wiki/OAuth#OAuth_2.0

OAuth External Authentication Setup

1. Download the pre-compiled binaries located here

   https://github.com/UCLALibrary/jasperserver-oauth-saml/tree/master/6.4/oauth/binaries

   https://github.com/UCLALibrary/jasperserver-oauth-saml/tree/master/6.4/oauth/binaries/apacheoltu

2. Copy them to webapps/jasperserver-pro/WEB-INF/lib

3. Download the applicationContext file for the SSO setup at the following location:

   https://github.com/UCLALibrary/jasperserver-oauth-saml/tree/master/6.4/oauth/WEB-INF

4. Copy the applicationContext file to webapps/jasperserver-pro/WEB-INF

5. Configure the applicationContext file as follows:

   Once you have an Oauth 2.0 authorization server setup you will register Jasperserver as a client and have the following information:

   • authorization location   (ex:  http://myoauthserver:8080/oauth2/authorize)
   • client_id (name with which you register jasperserver as a client, ex: jasperserver61)
   • client_secret (secret you specify or that gets generated when your register jasperserver as a client with your authorization server)
   • token location (endpoint exposed by authorization server for exchanging grant codes for access or refresh tokens  ex:  http://myoauthserver:8080/oauth2/token)
   • redirect url (location that authorization server will redirect back to with a grant code and this will be your jasperserver url plus /oauth on the end  ex:  http://localhost:8080/jasperserver-pro/oauth)
   • scope (optional scope if you defined a scope for client access)

   You will need to take these values and configure the following bean in the applicationContext file with them:

    <bean id="proxyPreAuthenticatedProcessingFilter" class="com.jaspersoft.jasperserver.ps.OAuth.OAuthPreAuthenticationFilter">
   <property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>
     <property name="authenticationManager" ref="oAuthAuthenticationManager"/>
    
     <property name="authenticationFailureUrl">
               <value>/oauth</value>
           </property>
           <property name="defaultTargetUrl">
               <value>/loginsuccess.html</value>
           </property>
           <property name="filterProcessesUrl">
               <value>/oauth</value>
           </property>
    
           <property name="authorization_location" >
               <value>http://localhost:8080/oauth2/authorize</value>
           </property>
           <property name="client_id" >
               <value>js61</value>
           </property>
           <property name="redirecturl" >
               <value>http://localhost:8061/jasperserver-pro/oauth</value>
           </property>
           <property name="token_location" >
               <value>http://localhost:8080/oauth2/token</value>
           </property>
           <property name="clientsecret" >
               <value>9700fc55-85fc-4682-807d-a881054fa665</value>
           </property>
     <property name="scopes">
      <value>uri:JaspersoftReportingServer</value>
      </property>
         </bean>
    

Once you have setup a Resource server that returns user detail information (see section below on response type for this endpoint) and registering it with the authorization server you will have the following:

• user detail location (url to your resource server endpoint for user detail information ex: http://myresourceserver:8080/v1/tokeninfo)
• user detail key (entered or generated when registering the user detail service as a resource server with the authorization server)
• user detail secret (entered or generated when registering the user detail service as a resource server with the authorization server)

You will need to take these values and configure the following bean in the applicationContext file with them:

<bean id="OAuthAccessTokenValidator" class="com.jaspersoft.jasperserver.ps.OAuth.OAuthAccessTokenValidator">
       <property name="userdetails_location">
    <value>http://localhost:8080/v1/tokeninfo</value>
    </property>
    <property name="userdetails_key">
    <value>27c88aca-11dc-4022-9753-53f96a1fefc6</value>
    </property>
    <property name="userdetails_secret">
    <value>0ebdb578-d571-43f0-91f7-ce0e656a35f0</value>
    </property>
    </bean>

User Detail Resource Server Service

The current and compiled code expects a JSON response from your user detail information service endpoint on your Resource Server with the following fields:

Mandatory:

• name (username)

Optional:

• organization (id and name of the user's organization--if not present defaults to jasperserver default organization)
• roles (comma separated string of role names)

Possible Customization

If you require a different response type or user detail information parsing from your user detail information service you will need to potentially modify/customize the following classes:

• OAuthUserDetailsServiceImpl
• OAuthUserDetailsService
• OAuthAuthenticationProvider

You will then need to add your compiled libraries to WEB-INF/lib and inject your new classes into the bean definitions in the applicationContext file.