Dear folks,
I have an ASP.NET Core API and I'd like to integrate with Outsystems. Thus, I created a simple reactive UI in the Service Studio and I'd like to perform requests from the interface to my API. I know how to configure such an integration. However, I'd like to enhance my API with authorization and authentication. Is it possible to use the Outsystems' built-in authentication mechanism as a authorization server so that when the API receives the request with the access token the API validates such token in Outsystems?
Hi Bruno,
that is the fun part of signed tokens :-) you dont have to call back to your Outsystems application.
Here are the steps involved
You first create a private key. You can do this eg. with openssl
openssl genrsa -out privatekey.pem 4096
The PEM file is just text you need to sign the Token.
Using the mentioned Outsystems JWT component you use the Server Action
CreateSignedAsymmetricTokenWithPemKey
You use the content from the PEM File here (PrivateKey and PrivateKeyPassword parameters).
If the action is successful you receive a SignedAndEncodedToken parameter from the action. That is the Bearer Token you send via the Authorisation Header to your ASP.NET Core API.
For your ASP.NET Core API you need the Public key corresponding to the private key you created. Again with openssl this is done by
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
The CER file is also just a text file. Text text can be used as a parameter to one of the C# jwt.io libraries.
--
This approach makes it possible that you do not need to callback to outsystems in order to validate if the token is really a valid token.
The token was signed with the private part of a key pair. That private key is only known to your outsystems application. You basically KNOW that whenever you can validate the signature of the token using the public part of the key pair it must be coming from your outsystems application. (there are some additional steps in validation like issuer, expiration and audience - please check the documentation of the jwt.io libraries for that).
Whenever validation succeeds you can decode the token and retrieve the so called claims. claims are key / value pairs which can hold any data you want. When creating the token in your Outsystems application you add those claims to the token.
Claims are used to determine access to ressources.
Best
Stefan
Hello Bruno,
You can customize your own method of Authentication and Authorization for REST APIs.
Please referre to this page for an example.
Hope it helps !
Thank you for the reply!
My API is not exposed in Outsystems, instead I'm only consuming the API in an Outsystems' app. So, I'm wondering how to protect my API with token-based HTTP authentication and integrated it with the Outsystems' app.
Hi Bruno.
if i understood that right, you want your users to sign in with their OutSystems Account. Then your OutSystems Backend Application consumes your ASP.NET Core API ?.
What you could do is that before your application consumes your API you create a signed JSON Web Token using this awesome component JWT - Overview | OutSystems .
You pass the token then via a header "Authorization: BEARER <your token>" to your API. In your API you can use one of the JWT .net packages to validate and decode the token. the token can also include user information in case you need that.
Hi Stefan,
This is exactly what I want! Thank you! I just have one remain doubt: how can I validate the token in my API? It isn't necessary to request some endpoint of Outsystems, which will confirm or not that the token is valid?
Excellent!!! I was confusing JWT standard itself and the OAuth flows... but, now I understood. THANK YOU VERY MUCH!!!
As far as I know that's not possible. You'll need to program this yourself. Integeration with token-based authentication is certainly possible, many Forge assets that connect with external services do exactly that. But there's not a standard OS mechanism for doing so.
Hi sir Can you help here https://www.outsystems.com/forums/discussion/75614/how-to-see-selected-profile-name-when-i-click-profile/