SapMachine icon indicating copy to clipboard operation
SapMachine copied to clipboard
verified publisher icon SAP

SapMachine socket support of OAuth authentication

Open peterjtan opened this issue 5 years ago • 2 comments

Hi,

We are developing applications on SCP Cloud Foundry environment, and consuming the connectivity service.

According to Help Portal, the authentication to the SOCKS5 proxy uses OAuth access token, which is not supported by OpenJDK. See the following quote from the documentation (Help Portal link):

You can access the host under onpremise_proxy_host, and the port through onpremise_socks5_proxy_port, obtained from the Connectivity service instance.

Authentication to the SOCKS5 proxy is mandatory. It involves the usage of a JWT (JSON Web token) access token (for more information, see IETF RFC 7519Information published on non-SAP site). The JWT can be retrieved through the client_id and client_secret, obtained from the Connectivity service instance. For more information, see Set up the HTTP Proxy for On-Premise Connectivity, section Authorization.

The value of the SOCKS5 protocol authentication method is defined as 0x80 (defined as X'80' in IETF, refer to the official specification SOCKS Protocol Version 5Information published on non-SAP site). This value should be sent as part of the authentication method's negotiation request (known as Initial Request in SOCKS5). The server then confirms with a response containing its decimal representation (either 128 or -128, depending on the client implementation).

I am wondering if this authentication can be supported in SapMachine socket implementation?

peterjtan avatar Jun 18 '20 18:06 peterjtan

Hi @peterjtan,

I guess, you're correct. SOCKS is not supported by plain OpenJDK. As per the documentation you've cited, I guess the common solution is to use the Apache HTTP client. Is there a specific reason for you why you can't/don't want to use this?

As for supporting SOCKS in OpenJDK, I believe that's not a small fix but rather a significant project where a certain amount of development resources would have to be spent. And, eventually, it will need to be supported. So in case you're really requesting this, we'd need to have a thorough business case to consider it.

Hence, could you give us some more (background) information about your need?

Thanks & Best regards Christoph

RealCLanger avatar Jun 19 '20 08:06 RealCLanger

Hi @RealCLanger,

Thanks for getting back to me. I would like to use HTTP protocol and HTTP clients as much as I could. However, some libraries use proprietary protocol for communication with their servers, for example, Perforce.

From my understanding, Perforce Java library uses their proprietary RFC protocol to communicate with Perforce server, and they don't support connectivity over HTTP at the moment. We have an application that connects to Perforce server listening for new changes submitted, and do some post-processing for reporting purposes.

If the OAuth authentication is not implemented in JVM, I can imagine that this piece of logic would be duplicated in many applications which actually need TCP communication if HTTP is not suitable in the process. Also, for migrating from Neo environment to Cloud Foundry/k8s environment, it would be almost infeasible since existing functionalities will be harder to port over.

Thanks and best regards, Peter

peterjtan avatar Jun 19 '20 18:06 peterjtan

I'm closing this ticket as it didn't have activity in 2 years. Not sure how relevant this is still.

RealCLanger avatar Sep 16 '22 12:09 RealCLanger