Hi,
I'm fighting with setup of an authentication setup for my exposed REST API in ODC. I'm not expert in this area, but what I understand from discussions here Basic type of authentication (with user login and password) doesn't work in ODC. So I tried to follow a way with the OpenID Connect (OIDC) protocol for authorization and authentication, which is based on the OAuth 2.0 framework described in the documentation here - https://success.outsystems.com/documentation/outsystems_developer_cloud/outsystems_language_and_elements/outsystems_apis/odc_rest_apis/api_authentication_and_authorization/
I've setup API client
with access to DEV env
Through the command I received token_endpoint parameter
But if I try to get access token
Response is
Do you have any idea what I'm doing wrong?Or do you have any example that you have tested and I could use as a template?
(Or any other way how to ensure exposed REST API access security?)
Thanks
Libor
I have the same problem and I have not been able to solve it yet
Have you checked the solution proposed in the link below?
https://www.outsystems.com/forums/discussion/92103/basic-authorisation-on-exposed-rest-api-for-odc/
@Libor Sitko : There is indeed Basic Authentication available for REST endpoints in ODC. My ODC Studio is Version 1.5.7 / Build 7761 and this is how it looks at my end. Do check if you have a different properties for exposed API's in Studio.
My understanding is that API Clients are for consuming ODC REST APIs (https://success.outsystems.com/documentation/outsystems_developer_cloud/outsystems_language_and_elements/outsystems_apis/odc_rest_apis/) which are different from APIs that you build in your application. As per this article "The OutSystems Developer Cloud (ODC) REST APIs allow you to create scripts, automation, and applications that leverage the resources of your ODC tenant, such as Users, Groups, App Roles, etc. You can use these APIs to automate and extend the built-in functionality provided with ODC." Please correct me if I am mistaken.
When we try to interact with the User API of the ODC platform, we must use the OAuth 2.0 authentication method. To do this, we first need to make a request to the token endpoint to obtain an access token, which will then be used in API requests.
The issue arises precisely at this stage of obtaining the token, where we are encountering an error. We are following the official documentation exactly, but we are still facing this issue.
We would appreciate any guidance or assistance on this problem.Reference: Official documentation on ODC authentication
Yes. For ODC REST APIs (e.g., User API), OAuth 2.0 is required. However, @Libor Sitko mentioned 'my exposed REST API in ODC,' which I assumed was an API he developed in his application. Hence, I shared my previous comment.
For ODC REST APIs I followed the exact steps and it works and here is what I have done.
Setup the Client
Access the Discovery Document at https://headfitted.outsystems.dev/identity/.well-known/openid-configuration and extracted the token_endpoint
Obtain the Access Token
Finally invoke the List users API
If these steps are followed correctly and the issue persists, I suggest raising a ticket with OutSystems in parallel while someone familiar with the issue can provide assistance.
Hi guys,first of all - thanks for your replies. May be would be useful to mention my use case - I have prepared exposed REST API in ODC app, which works without problem if there setup None in Authentication. Main purpose of the API is get data from third party system (DWH) - it means I have exposed POST and PUT method. And of course I need to somehow secure this API (somehow in the ODC directly), because of security.Options I found:- Basic authentication - through user login and password. Doesn't work currently because there is no way how to check if credentials sent in request are valid (User_login action isn't available in current version of ODC as a server action - I checked it in ODC studio and it's written as well in mentioned here https://www.outsystems.com/forums/discussion/92103/basic-authorisation-on-exposed-rest-api-for-odc/ )- Custom authentication - I expected, that for REST API it's correct method to use API client for it. I'm not able to test it, because I'm not able to get access token. But some of you mentioned that this way is not correct. It's not clear if API client is for exposed APIs or only for consuming ODC REST APIs but what I understand, it is prepared for exposed APIs in ODC from the picture taken here https://success.outsystems.com/documentation/outsystems_developer_cloud/outsystems_language_and_elements/outsystems_apis/odc_rest_apis/api_authentication_and_authorization/using_oauth_2_0_to_access_the_apis/
(I'm failing on step 6 - @Siya thanks for example, I checked it against my commands and it looks they are correct so I will raise a ticket directly to OS for help). True is I'm not sure, how to implement OnAuthentication action with token (as a next step - but not focused on it till now)- Use a secret - I'm thinking about it as a workaround solution (https://success.outsystems.com/documentation/outsystems_developer_cloud/security_of_outsystems_developer_cloud/set_as_secret/). Do you have experience with it?
I could not find an article / discussion which explicitly talk about using ODC Portal generated Client ID + Secret for consuming the APIs developed in the application. There is an article by @Stefan Weber @ https://without.systems/odc-with-bots-for-teams-messaging-endpoint-authorization on how authentication is done using Custom Authentication. btw you may implement JWT by using components from forge like https://www.outsystems.com/forge/component-documentation/17841/jwtgenerator-odc/0 or Using a secret. Issue with Secret is if you loose the secret you are at risk. Or you may use JWT_CreateToken and JWT_ReadToken from Security Lib to build a custom solution.
For a tutorial on how to protect an exposed REST API you may find my tutorial useful https://itnext.io/protect-outsystems-rest-apis-using-openid-connect-87a2ac7575c1. Although it is written for O11 the principles are the same, but in ODC you cannot Login a user as described in the article, though in most cases this is not necessary.