Hi Community,
I have set up my ODC APIs in DEV, and all is working fine. High-level steps as per documentations as follows,
As the URL are different, i had parameterized the URL as follows. To get the {URL}, in my logic, i had added a regex-search to extract it.
The thing is that, this works well in DEV. However, when we move the application to PROD, the PostToken returns "OS-BERT-00000 - Error executing PostToken 401 Unauthorized"
My settings and API base URL in ODC portal has all been updated to reflect that of PROD. If this part is wrong, i wouldn't even be able to retrieve the Discovery portion as per this screen-shot. This is from PROD
I am wondering, if there are errors or something wrong with how i called or pass in the parameters, it should surface in DEV. However, everything works fine there.
I am also thinking, if there are some settings which i didn't changed in ODC portal for PROD environment, it should already have an error when calling the discovery document.
Do you think there is something else missing, or the error is coming from somewhere else?
Any suggestions, inputs will be very much appreciated, thank you!
"Which for me, it means that, for User & access management API, there is no different in the end-point" - Absolutely. For ODC REST API the endpoint remains the same irrespective of stages ( Dev / UAT / Production ).
However for application specific REST API's you can set effective URL for each stage.
@Jun Mun Chan : Looks like there is a confusion. Unlike OS 11 , in ODC there is no separate portal to manage users but from ODC Portal.
You can see that in all the documentation wrt to ODC REST APIs, URLs are like https://ODC_PORTAL_DOMAIN/api/identity.. and is not specific to dev or production stages. i.e there is only one token_endpoint.
btw may I know how did you get this one " In PROD - https://example.domain.app/auth/realms/21z11111-d32z-xxxxxxxx-XXXXXXXXXXXX/protocol/openid-connect/token" ?
Also its worthwhile to look at the architecture of ODC @ https://success.outsystems.com/documentation/outsystems_developer_cloud/managing_outsystems_platform_and_apps/cloud_native_architecture_of_outsystems_developer_cloud/
Ho @Siya,
Thank you for your reply.
In O11, we are able to configure our effective URL for APIs in service centre. I believe this is something most people will have to change manually when Applications are being deployed to the next ENV. Reasons is that, the URL for different URL will be different, as per this documentation.
So coming back to ODC (Or even in O11 as it's the same concept), the 'ODC_PORTAL_DOMAIN' will be something like this in different ENV,
As such, the end-point is different for each ENV, as the number of users, applications etc are different. If we didn't change it, so even if the application is in PROD, as the URL is still calling https://mycompany-dev.com/xxxxx, so you can see that this will be wrong.
In ODC portal, we can choose to give user access to only applications in DEV, and not in PROD. In their specs, i couldn't find any reference to indicate that users only have access to specific ENV, unless ODC intention is for us to literally filter via the 'embedded' response, where this is the only place which i can find, at least we are able to link the user to the different ENV. And i think it will be extremely weird and strange if this is really the way to do it.
I got the PROD url, by simply changing the URL and performing a GET request based on the steps in this documentation.
Thou at the back of my mind (just like my other questions here in the forum), am i the only one facing this issue? If so, it will probably mean I am the one who is doing something wrong here. As nobody had encounter this issue before, as such, no one had asked in the forum.
And i do really hope i am the one who is doing something wrong, as this will really be so much more easier to solve.
Thank you.
@Jun Mun Chan :
Thank you for your response. Let me explain the concepts using the ODC environment I have.
ODC_PORTAL_DOMAIN: headfitted.outsystems.dev
Application Name: TestApplication
App in Development: https://headfitted-dev.outsystems.app/TestApplication
App in Production: https://headfitted.outsystems.app/TestApplication
Application Specific Exposed API : DemoAPI/GetEmployees / ( DEV : https://headfitted-dev.outsystems.app/TestApplication/rest/DemoAPI/GetEmployees , PROD : https://headfitted.outsystems.app/TestApplication/rest/DemoAPI/GetEmployees )
(Please note that the domain names are different for the ODC Portal and the deployed applications — i.e., outsystems.dev vs outsystems.app.)
There are two types of APIs:
ODC REST APIs – These include user & access management APIs and portfolio management APIs.
Application-specific REST APIs
To use the ODC REST APIs, you must create an API Client in the ODC Portal and follow the steps outlined in the documentation. These APIs are accessed using the ODC_PORTAL_DOMAIN : eg:
https://headfitted.outsystems.dev/auth/realms/356f454c-xxxx-xxxf-afba-9000337yyyyda/protocol/openid-connect/token/
For Application-specific REST APIs, the authentication types are:
Exposed APIs: None, Basic, and Custom Authentication
Consumed APIs: No Authentication and Basic Authentication
You can set the effective URL in:
ODC Portal -> App -> TestApplication -> Select Development / Production -> Consumed REST API -> Select the REST API -> Set Effective URL
Hope this helps.
Hi @Siya ,
Appreciate your response, thank you!
Due to my current company situation, I happen to have the luxury of literally deploying my application to PROD for testing. Details-wise, on why i can do this, i prefer not to share.
Want to clarify on this,
Quote
'https://headfitted.outsystems.dev/auth/realms/356f454c-xxxx-xxxf-afba-9000337yyyyda/protocol/openid-connect/token/'
So does this means, irregardless of which ENV, the base URL is still be 'https://headfitted.outsystems.dev/auth/xxxxxx'
Which for me, it means that, for User & access management API, there is no different in the end-point. And i had already set the effective URL in ODC portal for both DEV and PROD to reflect whether it is .dev or .app etc
Because i really have no confidence that i am getting the correct data, as in PROD, i can't get the access token, so i couldn't trouble-shoot my data at all.
And thank you for you reply once again.
I don't understand why this is the answer to the original question. I am running into the same error, I am trying to get a token to use for the ODC REST api, but I am getting a 401.
When I call the same url with the same client_id / client_secret in Postman I do get a token, but when I want to to this in ODC it doesn't work.
OS-BERT-00000 - Error executing PostToken 401 Unauthorized
The Request Format is "Form URL encoded", I have 3 input parameters in the body: grant_type, client_id, client_secret. The method is POST. What am I doing wrong?
When you input the client_secret in ODC, did you literally encodeUrl the secret key? You can convert them using links like the one below,
https://www.urlencoder.org/
I finally got it to work. Things I learned while trying to implement this were:
- I need to call EncodeURL around the "client_secret" value
- The environmentKey you need for the API calls was hard to find, but if you open an app in ODC Portal and check the settings, the stageid for development is in the URL in the browser. For the other values I opened the "Deployments" page and searched for a data action called GetEnvironmentsList (in the developer console in Chrome). This is the source for the dropdown at the top right of the screen and it lists all your stages.
- Try to make the calls in Postman first, if that succeeds move on to ODC. Postman is giving you much more information about what's wrong with your calls.
- Use LogMessage to dump out the complete request in the OnBeforeRequest, because the ODC logs are not helping at all.
Open questions:
I have not deployed to Test yet, but the token for test needs to be retrieved from a different URL, while the call to the actual API is the same across stages, correct?
The ODC_PORTAL_DOMAIN could be a so-called "server variable" according to the documentation, but I have no idea what that is, so I am using a Setting. Who can tell me where to find Server Variables?
No, the access token requesting URL is same for all stages. I created an App and deployed it to Test Environment and it works. Don't need to change your API endpoint.
Yes, the token, end point are the same
If you were to check the input parameters for most of the API methods, you can see there is an environment key
What I am currently doing,
in DEV, i called the PortfolioAPI to retrieve all the environment keys. Thereafter, i will pass them in programmatically, according to which stages the user is in (DEV, PROD etc). So this will mean, the portfolio API, doesn't have to be deployed to PROD...saving you 1 AO
If you had changed your domain, ie. implemented a custom domain name in your ODC portal, the endpoint, should still be the same as your default domain
Example,
Default domain: www.example.com
Custom domain: www.beautiful.com
You should still be using www.example.com as your end point
Hope this helps