Provider Authorization

Discussions related to HTTPAPI (An HTTP Client Package for RPG programming.) http://www.scottklement.com/httpapi/
Post Reply
emhill
Posts: 43
Joined: Thu Jul 29, 2021 1:15 pm

Provider Authorization

Post by emhill »

We have been using consume only web services at our site up until now. Now we have a company that wants us to be their provider for data. We are just in the planning stages right now. No code has been written but I'm just trying to get my ducks in a row before we hit this hot and heavy.

They are going to send us a request for inventory data (QOH, location, etc.) and we send the data back to them. It could be multiple items needed per request. I'm pretty sure I have somewhat of a handle on the setup using the standard input (for the request ) and standard output (for the response back to them). I have been using Scott's "Rest APIs and RPG" presentation as a guide and will set up my HTTP server based on this example:

Code: Select all

DefaultFsCCSID 37
DefaultNetCCSID 1208
CgiConvMode %%MIXED/MIXED%%
ScriptAlias /api/customers /qsys.lib/skwebsrv.lib/cust001r.pgm
<Directory /qsys.lib/skwebsrv.lib>
SetEnv QIBM_CGI_LIBRARY_LIST "QTEMP;QGPL;SKLEMENT;SKWEBSRV;YAJL"
require valid-user
AuthType basic
AuthName "SK REST APIs"
PasswdFile %%SYSTEM%%
UserId %%CLIENT%%
</Directory>
I am going to provide the requesting company a user id and password that I set up on our IBMi and use basic authority. My question is how do I retrieve the requesting user id/password using HTTPAPI when the request is made? I've looked at the sample code from the Scott's handouts and in the source files in HTTPAPI but don't really see what I think I'm going to need. Just could be missing it. When the remote user sends a request, if the user id and password are included in the headers how do I retrieve that using HTTPAPI? Is it a no-no to get the user id and password as part of the standard input data?

I've looked at the getAuth and setAuth prototypes and examples but I'm not really seeing how to do this to check the authority when I am the provider. I know its something silly I'm missing but if someone could point me in the right direction I would appreciate it.

Thanks!
Scott Klement
Site Admin
Posts: 636
Joined: Sun Jul 04, 2021 5:12 am

Re: Provider Authorization

Post by Scott Klement »

emhill wrote: Fri May 13, 2022 4:59 pm I am going to provide the requesting company a user id and password that I set up on our IBMi and use basic authority. My question is how do I retrieve the requesting user id/password using HTTPAPI when the request is made? I've looked at the sample code from the Scott's handouts and in the source files in HTTPAPI but don't really see what I think I'm going to need. Just could be missing it. When the remote user sends a request, if the user id and password are included in the headers how do I retrieve that using HTTPAPI? Is it a no-no to get the user id and password as part of the standard input data?
Can you explain this better? (1) How does this relate to HTTPAPI? (2) What do you need the userid/password for?
emhill
Posts: 43
Joined: Thu Jul 29, 2021 1:15 pm

Re: Provider Authorization

Post by emhill »

If the user is coming into our system (after setting up the Apache options for the HTTP server as I included in my previous post) would it not require some sort of user/password? The options include AuthType basic, PasswdFile and UserID. Is this just for outgoing (consuming) APIs? This person will send standard input to a URL like:

http://<domainname>/api/iteminquiry

In the standard input they will send a JSON request for one or more items. I will return the result in the standard output. I'm pretty sure I can handle this part, it is the authentication coming from the outside user to our system that has me confused.

Am I overthinking it? Am I completely off base on this one? As I stated before all the web services from our IBMi have up until now been us consuming data. We would send the request (including id/password in the headers) and then provider would send a JSON string back. This is the other direction.
jonboy49
Posts: 200
Joined: Wed Jul 28, 2021 8:18 pm

Re: Provider Authorization

Post by jonboy49 »

HTTPAPI is intended as a tool set for _Consumption_ of web services - not for providing them.

I thought that Scott's examples in his handout showed this.

Authentication would normally be taken care of by the Apache server that you would configure to supply the service.

Depending on the volume of transactions you are expecting you might want to consider using IWS which will let you deploy a conventional RPG program as a JSON based web service. Scott includes details in one of his presentations and I can link you to a lecture/demo video that I did if you want.
emhill
Posts: 43
Joined: Thu Jul 29, 2021 1:15 pm

Re: Provider Authorization

Post by emhill »

Hey Jon,

Yeah I went back over the presentation again after making the previous post and the IWS is the way I'm going to go on this one. Was once again trying to overthink things.

Thanks for all you guys do!!!!
Scott Klement
Site Admin
Posts: 636
Joined: Sun Jul 04, 2021 5:12 am

Re: Provider Authorization

Post by Scott Klement »

emhill wrote: Fri May 13, 2022 8:37 pm If the user is coming into our system (after setting up the Apache options for the HTTP server as I included in my previous post) would it not require some sort of user/password? The options include AuthType basic, PasswdFile and UserID. Is this just for outgoing (consuming) APIs? This person will send standard input to a URL like:
http://<domainname>/api/iteminquiry
The code you show is for providing (I guess you consider that "incoming") it has nothing to do with consuming. That's why HTTPAPI doesn't make any sense, here... HTTPAPI is for consuming.

Yes, whomever is calling this API will have to provide a valid userid/password, and Apache will not let them in if they don't provide it. That's what "require valid-user" does. But that's not what you asked in your original post... you asked how to get the userid/password in your RPG program. I wonder why you'd need it since the OS has already validated it? Also, because you have "UserId %%CLIENT%%" it's going to run your RPG program as the userid that was specified -- So you can use the PSDS or INZ(*USER) to get the userid. Why would you want the password, though? What are you going to do with it?

It is possible to get the password, too... I'm just not sure why you want it. I don't want to invest several hours of my time teaching you how to get the password, only to have to determine that you don't need it. Since the OS has already validated it, why do you want it?
emhill wrote: Fri May 13, 2022 8:37 pm In the standard input they will send a JSON request for one or more items. I will return the result in the standard output. I'm pretty sure I can handle this part, it is the authentication coming from the outside user to our system that has me confused.
The way you have it coded, Apache will expect a userid/password, and will validate it against the user profiles on your system, and will run your RPG program as the user profile they provided. You don't have to do anything more than the code you already showed. If that's not what you want, then please explain what you want.
emhill
Posts: 43
Joined: Thu Jul 29, 2021 1:15 pm

Re: Provider Authorization

Post by emhill »

As you guys said this is really in the wrong forum. I'm going to close this out and continue to research. Thanks for your help!
Post Reply