SOAP versus REST Integrated Authentication

Hello,

When exposing a SOAP webservice you can simply set Integrated Authentication to yes. If someone consumes the Soap webservice without authenicating them selves, IIS gives an exception: 

HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/10.0

And you can get the usernamewith the system action:  IntegratedSecurityGetDetails. (when you set Integrated Authentication to no this action does not return the username)

So far so good this fits with my usecase. 

Whowever I was wondering if a similar approch is possible for REST.

In the Integrated Authentication document page I found this: 

Tip: If you need to support Integration Windows Authentication in an exposed REST API you can do it by implementing your own custom logic.


Below a couple of things I investigated.


  • When you look at the callback diagram it seems that the custom logic can only be build using the headers. I think that the SOAP integated Authentication does not work like this because: (when the exposing service does not request Integrated Authentication (it is set to no), the UserName is not send in the request)
  • When looking at the REST Extensibility API I do not see any classes that I could use

Hi Erik,

There is a component on Forge that can help doing integrated authentication with REST: https://www.outsystems.com/forge/component-overview/642/rest-integrated-authentication

And here some info about how to use it: https://www.outsystems.com/forums/discussion/32407/how-do-you-use-this/

Cheers.

Hello Eduardo,

Thanks for you answer. I know this forge component, unfortunately that component is for consuming a REST service. My case is exposing a REST service. 

Erik

Oh, sorry.

The way to implement integrated authentication (according to the documentation), is though the CUSTOM authentication:

https://success.outsystems.com/Documentation/11/Extensibility_and_Integration/REST/Expose_REST_APIs/Add_Custom_Authentication_to_an_Exposed_REST_API

I never did that, so I am not able to guide you won how to execute the authentication on that action, besides the fact that you have the three actions mentioned in the documentation (from the HTTPRequestHandler) that you can use to fetch information from URL, Body or Header of the request.

Cheers.

Ok, I found this article from João: https://medium.com/productleague/security-in-rest-apis-f504c9b41e1d

Maybe you can find some guidance there...

Hello Eduardo,

Thanks for you posts, the article on medium is very intresting. However i have reached the conclusion that the specific case I was aiming for is not possible. All REST expose autentication examples work with tokens or username/password. Integrated autentication like implemented for SOAP seems not to be possible. The logged windows username is simply not passed to the REST API. I do not see how Implementing custom logic in callbacks will not change that. So I think I will just implement my logic in SOAP. 

Erik Brzozowski wrote:

Hello Eduardo,

Thanks for you posts, the article on medium is very intresting. However i have reached the conclusion that the specific case I was aiming for is not possible. All REST expose autentication examples work with tokens or username/password. Integrated autentication like implemented for SOAP seems not to be possible. The logged windows username is simply not passed to the REST API. I do not see how Implementing custom logic in callbacks will not change that. So I think I will just implement my logic in SOAP. 

Hi Erik, 

I'll ask around to see if any person already implemented something similar in OutSystems and know how to do. 

If there is a component on forge to help consume REST api that requires windows authentication, so it should be possible. In the end, by 'integrated' we are just saying the credentials are passed to the exposing service, right? 

Cheers 


What I recommend it to study on how the Forge component sends the information of windows authentication to the exposing REST, as to understand where you need to look for it... 

Yes, by integrated I mean that the credentials are send to exposing service. For SOAP you have the option in service studio: 

When you set this to yes, and you do not provide you credentioals in the request IIS will throw an exception before you debugger will start. I was hoping to create someting like this for REST. Talking to some .net developers we think this can not be done in the callbacks. 

Because we think this should be handeld in step 1. I also think that the Forge component is a good place to start. I tried that and the forge component uses the OutSystems.RuntimePublic.REST API. However this is changing somethings in the response or request message. I was not able to figure out how this should be changed to fit my case. But again thanks for you input

Can I ask what the use case is?

That is, why are you wanting to use Integrated Authentication in an exposed REST API? 

I ask because one of the main reasons for using REST over other means of exposing functionality is to obtain broader cross-platform capability, and using Windows integrated auth limits the platform and architecture pretty dramatically.

How are these REST APIs going to be called? And from what client?

@ Andrew. Good question. It is not a public API obviously. It is part of a large application landscape and authentication and authorization are mandatory. I already implemented the solution in SOAP. I was just wondering if the same is also possible with REST. I was triggerd by the OutSystems documentation:


Tip: If you need to support Integration Windows Authentication in an exposed REST API you can do it by implementing your own custom logic.


So I assumed it should be possible and was curious how this should be implemented. And I also wanted to increase my understanding of Integrated windows authentication .

Checking internally...will let you know what I find out.

Hi Erik,

The REST Integrated Authentication includes a demo module which exposes a REST service with integrated auth (IA_REST_Server). It seems it just uses IntegratedSecurityGetDetails() System Action during the authentication flow. Hope it helps you.


Cheers,

Pedro Guimarães

Hello Pedro, 

Thanks for your answer. I looked at the demo, and I tried it but the IntegratedSecurityGetDetails() does not give any information when I use it in rest. 

I think this is because the first call is always anonymous (see NTLM example below) in OutSystems soap using integrated autentication in the debugger you only see message 5, that is a message that includes the NTLM token. 

For REST in the debugger you see message 1(Anonymous). I checked this by using th GetRequestContent action. So (for soap using Integrated autentication) messages 1,2,3 and 4 are dealed with out side the debugger. IIS does this for you. 


You can 'fake' message 2 by sending a respons with the correct status code and adding the header. 



In this case you will hit the debugger twice and the second time the NTLM header is present in the message. However a ntlm challenge message (message 5) needs to be created. I do not think this will be the solution I just created this to validate that when I'm testing my exposed webservice that it does receive the NLTM header. 


My assumption own is that when checking the integrated autentication option in soap that OutSystems updated the IIS settings and that this is not implemented for REST. unfortunaly although it is a on premise instalation I (personaly) do not have acces to the server or IIS so I can't check this.