cancel
Showing results for 
Search instead for 
Did you mean: 

How to reset the smartedit OAuth client?

SAP Commerce 2011

When trying to login with a newly created user, get an error message saying Bad Credentials.

Works fine with existing users.

Can anyone help with how that smartedit OAuth client should be configured?

Also, if the client secret is updated in the backoffice, is this automatically provided to the front end (login form)?

Accepted Solutions (0)

Answers (1)

Answers (1)

mansurarisoy
Contributor

smartedit extension have the following impex file (essentialdata_smartedit.impex) which is imported during updatesytem task

INSERT_UPDATE OAuthClientDetails;clientId[unique=true];resourceIds;scope[mode=append];authorizedGrantTypes;accessTokenValiditySeconds;authorities;clientSecret;
;smartedit;hybris;basic,permissionswebservices,previewwebservices;password,client_credentials;3600;;;
;smartedit-admin;hybris;extended,permissionswebservices,previewwebservices;password,client_credentials;3600;ROLE_ADMINGROUP;secret;
;smartedit-cmsmanager;hybris;extended,permissionswebservices,previewwebservices;password,client_credentials;3600;ROLE_BASECMSMANAGERGROUP;secret;

So the clientSecret of smartedit client is cleared every time you execute update system.

Similarly, following documentation has also the same impex (with a missing EOL character): https://help.sap.com/viewer/9d346683b0084da2938be8a285c0c27a/latest/en-US/3f675dfd41e642c0b107d0d41e...

When you try to change secret of the smartedit client from backoffice, login requests will get 401 from smartedit. So smartedit expects OAuth client to have no secret defined.

I think there should be a way to be able define a secret for smartedit client since it can be used to brute force to check a customer's credentials via /authorizationserver/oauth/token or to disable user's account by entering wrong credentials.

0 Kudos

Thanks for your input.

What you say makes sense.

I re-ran that impex to reset the smartedit client to be as it is OOTB.

However, when I attempt to login as a newly created user, I am still getting the following error in the console:

  1. {error: "invalid_grant", error_description: "Bad credentials"}
  1. error: "invalid_grant"
  2. error_description: "Bad credentials"

mansurarisoy
Contributor

Can you investigate the payload to see if everything is correct? Is the user able to login Backoffice or HAC? And if the issue happens in your local as well, you can try to understand what's going on by debugging CoreAuthenticationProvider's following method

public Authentication authenticate(Authentication authentication) throws AuthenticationException

Hope this helps,

0 Kudos

Meant to follow up with you Mansur since you were kind enough to help.

Incredibly, it was not really an Oauth problem. But the user that was created in the BackOffice was created with mixed case characters in the email (e.g. John.Doe@acme.com)

Something in the Oauth permissioning did not like this. Eventually when we changed it to john.doe@acme.com, it worked immediately.

I reported this to SAP so hopefully they will either prevent this at source (in the BackOffice via validation) or address the Oauth handling.

Thanks again for your help!

mansurarisoy
Contributor
0 Kudos

Hi Alan, if the case sensitivity is the issue here, please check the collation of the database of yours (or even the collation of users table). If the collation is case sensitive (generally stated as CS in the collation code) the flexible queries will be case sensitive too, thus the following queries will have different results.

SELECT {pk} FROM {User} WHERE {uid} = 'john.doe@acme.com'
SELECT {pk} FROM {User} WHERE {uid} = 'John.Doe@acme.com'

See the document for the suggested collations for SQL server. They are both case-insensitive: Latin1_General_CI_AS and SQL_Latin1_General_CP1_CI_AS