how to get userId when use rest

when we use rest in outsystem 10+,  we can not get session, so how to get login UserId?

Hi Tong,

Please be elaborate what you need, with some Images,

so that we can understand what you need.

ManiKandan K  

Solution

Hi Tong,

You can only user getusers when there is a user logged in. Which is not the case in a Rest call. That will only work if you get the credentials as input and login the user inside the rest. If you decide to go through that path remember you should use encryption.

Regards,

Marcelo

Solution

Hi Tong,

The REST service doesn't know you're logged in - the REST service could run on any server anywhere in the world, so your "local" login might not mean anything. Like Marcelo wrote, the best course of action is to pass either the user credentials or some token (like OAuth uses) that uniquely identifies the user.

The GetUserId() function also won't work on timers and BPT. They also don't know you are logged in

They don't, but that's functionally a different situation, since they are triggered by the system itself. In the case of REST however, a logged-in user could intiate the call, just like a Server Action call, but the REST method doesn't know who called it. From a user/developer point of view, this might seem odd (though when you know how REST works, it shouldn't).

Marcelo Ferreira wrote:

Hi Tong,

You can only user getusers when there is a user logged in. Which is not the case in a Rest call. That will only work if you get the credentials as input and login the user inside the rest. If you decide to go through that path remember you should use encryption.

Regards,

Marcelo

or could we try to deal with request cookie params like 'user_id'? or something else...


Hi Tong,

Passing a user ID is a very bad idea security wise, since they're typically sequential within a certain range, so it would be trivial to spoof another user. Like I said, you either pass a username/password with every call, or retrieve a token after a login call, and pass that token with every API call.

Hi Tong,

if you want to have session info and need to use the getuserid() there must have been a login.

See https://success.outsystems.com/Documentation/10/Extensibility_and_Integration/REST/Expose_REST_APIs 

There are simple 2 ways to implement this: basic authentication or custom authentication. 

In custom authentication a custom way of login can be implemented. 

Both solutions use a http-header of type 'Authorization'. 
In case of Basic authentication the header is: 'Authorization:Basic <encrypted user/password>. 
In case of token authentication where a bearer-token is used the header is 'Authorization: Bearer <authentication_token>. 

Only one (1) authorization-header is allowed in a Api-call. A combination of basic-authentication and bearer-authentication is not possible.

If basic authentication is used, outsystems does the extraction of username/password from the header and in the generated action a system-login is done. This can be changed if needed.

Depending on way the token is encrypted the user-information can be decrypted/extracted out of the token; examples can be found in the forge: JWT, OAuth, etc and on the internet.
If a login of the user is needed the action 'LOGIN' in the USER-espace can be used to login without the usage of a password.

After login into the system a session and active and the user exists.

Kind regards,
Eric