How to use Outsystems users module to authenticate users in my mobile app.

Hi All,

How can I use outsystems user module to authenticate users in my react native mobile app. The mobile application is not built on Outsystems platform and it has to use OS users module for authentication. User module exposes an API and it has only two operations (Resetpassword & EditmyInfo) https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/Users_API

Thanks,

KJ

Hi Karthik,


I think you need to create some sort of REST webservice wrapper around the OutSystems API for Users. I think/hope your non-OutSystems mobile app can use REST. Whatever you try to build do it in a secure manner. When creating these REST webservices use HTTPS, Hash passwords, don't send sensitive data in the url, etc.


Greetings,


Robert


Robert Hantink wrote:

Hi Karthik,


I think you need to create some sort of REST webservice wrapper around the OutSystems API for Users. I think/hope your non-OutSystems mobile app can use REST. Whatever you try to build do it in a secure manner. When creating these REST webservices use HTTPS, Hash passwords, don't send sensitive data in the url, etc.


Greetings,


Robert


Thanks Robert,

Yes, My mobile app is capable of consuming REST APIs. Should I use User_Login action in my REST api to check if the username & password is an authenticated user in OS users module ? What is the best way to implement it and is there any documentation available ?

Thanks,

KJ



Dear Karthik,


I couldn't find any public method that can do this how ever you can clone the user module and expose the userlogininternal to fulfill your need. Please be careful about the logic and the security concerns raised by Robert.


I hope this will help, and let me know if you get this implemented successfully.




Thanks

Mohamed Hakkim.



Hello Karthik

I think you misunderstood the Users API. It is not a REST API. In fact, afaik, there is no REST API to use the OutSystems Login System.

So, you would have to create, in OutSystems, an interface (maybe exposing a REST web service), that would be able to authenticate your users, using the Users API. Again, this would be an OutSystems layer.

You then would consume this service on your mobile application.

Now, you need to decide if you want to LOG IN the user in the OutSystems environment, or if you just want to validate its credentials.

If all you want to do is to validate credentials, you can pass the user and pass to the web service and it can hash the password and compare with the hash that is in the database, I think. 

If you want to log in, you can use User_Login. But this will not be useful per se, as you will not be able to leverage any advantage from the OutSystems platform. Unless you need to perform other operations, but again, without the session cookie, any request would be a new request. 

So you would have to use a different approach, being able to store the session cookie and send it on any interaction.

Hope this helps.

Cheers.

Eduardo Jauch wrote:

Hello Karthik

I think you misunderstood the Users API. It is not a REST API. In fact, afaik, there is no REST API to use the OutSystems Login System.

So, you would have to create, in OutSystems, an interface (maybe exposing a REST web service), that would be able to authenticate your users, using the Users API. Again, this would be an OutSystems layer.

You then would consume this service on your mobile application.

Now, you need to decide if you want to LOG IN the user in the OutSystems environment, or if you just want to validate its credentials.

If all you want to do is to validate credentials, you can pass the user and pass to the web service and it can hash the password and compare with the hash that is in the database, I think. 

If you want to log in, you can use User_Login. But this will not be useful per se, as you will not be able to leverage any advantage from the OutSystems platform. Unless you need to perform other operations, but again, without the session cookie, any request would be a new request. 

So you would have to use a different approach, being able to store the session cookie and send it on any interaction.

Hope this helps.

Cheers.

Thanks Eduardo, I want to capture the session cookie and use it for the subsequent interaction after login. Is there any sample or documentation available for the implementation?


Thanks,

KJ


Hum... 

I would say that this will not work... 

Let me ask something. How are you pretending to interact with the OutSystems platform?
I mean, do you have a REST/SOAP API to use already? Will you create one?

It seems to me that you should work as if the OutSystems platform is an external entity, but being a REST service, the platform is not prepared to keep you logged between calls, I would say...

You would have to send user/password on every request or implement something with tokens, for example, and in the OutSystems side execute a System Login (no need to password), controlling the session timeout yourself, etc.

Cheers.

Eduardo Jauch wrote:

Hum... 

I would say that this will not work... 

Let me ask something. How are you pretending to interact with the OutSystems platform?
I mean, do you have a REST/SOAP API to use already? Will you create one?

It seems to me that you should work as if the OutSystems platform is an external entity, but being a REST service, the platform is not prepared to keep you logged between calls, I would say...

You would have to send user/password on every request or implement something with tokens, for example, and in the OutSystems side execute a System Login (no need to password), controlling the session timeout yourself, etc.

Cheers.

Thanks Eduardo,


I am planning to create a new REST API to have an operation to authenticate my mobile app users. I dont want to pass username, password during every interaction after successful authentication. In that case, I should generate a token in Outsystems and send it back to the mobile client during the login and mobile app can interact with OS  using the token without sending username & password during each interaction. I should also have a control on handling the validity of the token. Until the token is valid, I can allow the users to access any of the services. 


Hope this is a right approach to handle this scenario. Let me know.

Thanks,

KJ


Hi Karthik,

For me, it seems ok. It is how I would implement if in your situation, probably. Be extra careful with the security to avoid tampering of header and body during the communication.

Cheers