REST Basic Authentication

REST Basic Authentication

  
Hi,

the REST webservice I am testing are using "Basic Authentication" for users.
So, I need to change it not via service-center but via the code, depending on the user who is logged in...

I did not find any examples how to do that.
Is it possible?
Hi Statler,

Yes, it is possible, but you will have to remove the basic authentication settings from the service and build the "Authorization" header on your own.

Just send the following HTTP Header in every request:
  • Name: "Authorization"
  • Value: "Basic " + Base64Encode(username + ":" + password)
You can find more information about HTTP Basic Authentication here.

Storing end-user credentials to external systems in your application is generally not a good practice. Also end-user credentials over Basic Authentication is also bad, because the protocol is totally clear (unless it is used under an HTTPS connection).

For the use case you are describing, REST services offer token based authentication mechanisms, such as OAuth, which solve both of the above issues.

In this type of authentication, users are redirected to the external service site where they put in ther credentials and authorizing the application to access their data. Once they do that the site redirects the user back to your application with an access token. This access token is what your application needs to do the calls on the behalf of the user. This token is safe to store, it will expire in a certain period of time, and even if it gets compromised "hackers" can't find the user credentials from it, and end users can revoke it in the external system at any time.

You can see this type of authentication mechanism in all major SaaS and cloud services, Gooogle, Twitter, Facebook, Salesforce.com, etc.

What REST service you are integrating with?

Thanks!
Hi,

sorry for the late reply.
I am integrating with Rally. which means I need to get a security-token based on the "first" credentials.
that could be anyone. so, 1 time i need to do a basic-auth with the username/password of the person behind the application, then I can continue to work with the key..

Hi Statler,
In OAuth, the "first" credentails are the "user and password" that identify your application *not a person*. They are usually named the API Key and the API secret. You can get these when registering your application in the external user system as I described in the technical training session video.

This means that these credentials are fixed for everyone that uses your application, so you don't have to change them for each person in runtime.

Can you look it up in the Rally documentation? They should explain that process clearly.

Thanks!
"clearly" is not the word I am relating with Rally.

sadly, afaik all the GET-actions are just using basic-auth.
for create/update actions there is normal OAuth, but still very basic.



Can you put here some links to the documentation of APIs you want to use, so that we can help you?

Would it not be a best option to implement federated Identity management?

Does Outsystems support federated authentication(SSO) with cross domain applications? How can we do it? ( Kerberos & SPNEGO)
Hi Leo,

The concept of federated identity management is nice, but since there are way to many impementations of it there is no way to do something like that out of the box.
Also almost all REST services are moving to a more SAS approach, implementing either Basic or OAuth authentications instead of complex authentications schemes that end up being customized by everyone.

So the answer for your question is that there is no support for it out of the box.

But, if you are able to do it in a .net/java custom application then you can do it as well here using the OnBeforeRequestAdvanced callback. It allows you to in an extension access the request object that will be used in the rest call and add it the necessary auhentication mechanisms that you would in another technology.

I have seen at least 2 successfull integrations to kerberos + windows authentication on a .Net stack that were done just by coping an example found on the web.

Regards,
João Rosado
Thanks for the reply!

I agree with you as this may not be generic for all implementations. however I see as Outsystems does not use the capabilities of App Server (may be to be application server independent) This has to be coded all from scratch(though we pay for the application server). In a low code platform coding the authentication module sounds  a little more but should be achievable.

Another thing that bothers me is that the Integrated log in is supported only in .NET stack and not in JAVA. Is there a specific reason why Outsystems hasn’t provided this feature out of the box?

Can you also outline the solution that was based on kerbros+ windows (was it on JAVA stack?)
Hi Leo,

Like I said they were on a .Net Stack, but it should be similar.

In java the http library used is the Apache HTTP Client (currently version 
4.5.1).
A quick google search on the subject lead me to this page that talks explicitly about "
4.8. SPNEGO/Kerberos Authentication" and points to a sample.

See our help here on how to get the "
HttpClient" object that will be used in the rest call, allowing you to just write a little extension to setup the credentials part and let the platform do the rest.


Regards,
João Rosado