Using Oauth2 with HTTPAPI
-
- Posts: 7
- Joined: Mon Feb 19, 2024 6:41 pm
Using Oauth2 with HTTPAPI
Hello Scott
We are using 'Basic Authentication' method to Post transactions with our customer. Now they are requiring us to use OAuth 2.0.
We are using HTTPAPI for this. Please let us know if you have sample code to do OAuth 2.0 with HTTPAPI.
Thanks again for all your help!
We are using 'Basic Authentication' method to Post transactions with our customer. Now they are requiring us to use OAuth 2.0.
We are using HTTPAPI for this. Please let us know if you have sample code to do OAuth 2.0 with HTTPAPI.
Thanks again for all your help!
Re: Using Oauth2 with HTTPAPI
I have just finished working on this as Zoom has changed their APIs to use OAUTH2 instead of JWTs.
For use by tools such as HTTPAPI Zoom has implemented a Server-Server application interface which is much easier to use than the call-back mechanism that some OAUTH2 users require.
I would check with your customer if they offer a server-server interface. If they do the process is pretty simple.
1) Call the "gimme a token" API supplying your user credentials
2) Use the resulting token as the Authentication value in subsequent requests.
Depending on the validity time for the OAUTH token you may (as I have to) do two calls for each interaction.
For use by tools such as HTTPAPI Zoom has implemented a Server-Server application interface which is much easier to use than the call-back mechanism that some OAUTH2 users require.
I would check with your customer if they offer a server-server interface. If they do the process is pretty simple.
1) Call the "gimme a token" API supplying your user credentials
2) Use the resulting token as the Authentication value in subsequent requests.
Depending on the validity time for the OAUTH token you may (as I have to) do two calls for each interaction.
-
- Posts: 7
- Joined: Mon Feb 19, 2024 6:41 pm
Re: Using Oauth2 with HTTPAPI
Thank you for the reply. Here are their requirements (Sorry for the Long details)
I wonder if we can do this using HTTPAPI?
Login
Each authentication is unique per supplier (depending on supplier’s business model)
Below information will be provided as part of onboarding:
• • Client_secret (Oauth2)
• • Client_id(Oauth2)
OAuth2 Token URL:
• • Content-Type: application/x-www-form-urlencoded
• Body should have below variables: o client_secret
o client_id
o grant_type
Token URL
Method Env URL
Get QA https://login.microsoftonline.com/tmnat ... uth2/token
Get PROD https://login.microsoftonline.com/toyot ... uth2/token
Production API URL
Method Env URL
Get QA https://api.dev.scs.toyota.com/spbapi/rest/
Get PROD https://api.scs.toyota.com/spbapi/rest/
Header
Params Values
Content-Type application/x-www-form-urlencoded
Request
Sample request
client_secret: Provided_by_tscs_team
client_id: Provided_by_tscs_team
grant_type: client_credentials
Response
Status Response
200 {
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1624641712",
"not_before": "1624637812",
"access_token": ""
}
Header for all request
For every request below are the required:
• • Use HTTPS only
• Header: o Content-Type: application/json
o Authorization: Pass access_token from token response with “Bearer “ (Bearer eyJ0e……..)
I wonder if we can do this using HTTPAPI?
Login
Each authentication is unique per supplier (depending on supplier’s business model)
Below information will be provided as part of onboarding:
• • Client_secret (Oauth2)
• • Client_id(Oauth2)
OAuth2 Token URL:
• • Content-Type: application/x-www-form-urlencoded
• Body should have below variables: o client_secret
o client_id
o grant_type
Token URL
Method Env URL
Get QA https://login.microsoftonline.com/tmnat ... uth2/token
Get PROD https://login.microsoftonline.com/toyot ... uth2/token
Production API URL
Method Env URL
Get QA https://api.dev.scs.toyota.com/spbapi/rest/
Get PROD https://api.scs.toyota.com/spbapi/rest/
Header
Params Values
Content-Type application/x-www-form-urlencoded
Request
Sample request
client_secret: Provided_by_tscs_team
client_id: Provided_by_tscs_team
grant_type: client_credentials
Response
Status Response
200 {
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1624641712",
"not_before": "1624637812",
"access_token": ""
}
Header for all request
For every request below are the required:
• • Use HTTPS only
• Header: o Content-Type: application/json
o Authorization: Pass access_token from token response with “Bearer “ (Bearer eyJ0e……..)
Re: Using Oauth2 with HTTPAPI
It looks like a server-server setup and somewhat similar to mine but I don't have to mess with form-encoding. Luckily HTTPAPI has that feature available although I've never needed to use it. There is at least one example that uses it in the LIBHTTP RPG sources.
Scott is WAY more knowledgeable than me on this stuff Hopefully he'll correct me if I've misread it.
If I understand it correctly they are giving you two different endpoints to call to obtain the OAUTH token for prod and QA.
This is my code for obtaining the token. I've marked where I think yours will be different.
That gives you your token which you will use like this for all subsequent service calls. You may be able to make multiple calls with a single token - in the example yours appears to time out in an hour - assuming it is in seconds.
You might you ask them for Swagger (Open AI) docs for the services. That way you can use Postman or whatever to test the service.
Scott is WAY more knowledgeable than me on this stuff Hopefully he'll correct me if I've misread it.
If I understand it correctly they are giving you two different endpoints to call to obtain the OAUTH token for prod and QA.
This is my code for obtaining the token. I've marked where I think yours will be different.
Code: Select all
Dcl-Ds OAUTH_DATA; << Modify this to match your token layout
access_token varchar(2000);
token_type varchar(40);
expires_in int(10);
scope varchar(1000);
End-Ds;
response = http_string( 'POST' :
url:
*Omit: << I believe you would replace this with the variable comntaining your encoded form data
'application/json'); << and this with 'application/x-www-form-urlencoded'
data-into OAUTH_DATA %Data( response : 'case=convert')
%Parser('YAJL/YAJLINTO');
Code: Select all
// Set authority type to BEARER (passes in OAUTH token)
http_setauth(HTTP_AUTH_BEARER : null : token ); << Where I defined null as a one char variable
-
- Posts: 7
- Joined: Mon Feb 19, 2024 6:41 pm
Re: Using Oauth2 with HTTPAPI
Thank you!, this is very helpful. Couple of quick questions..
1. Do I do a 'GET' to get the token instead of the 'POST' in http_string() ?
2. I do not see HTTP_AUTH_BEARER as a parameter for http_setauth() in my version of HTTPAPI.
Is there a later version I need to download? (may be it is a Scott' question - Thanks Scott)
Thanks.
1. Do I do a 'GET' to get the token instead of the 'POST' in http_string() ?
2. I do not see HTTP_AUTH_BEARER as a parameter for http_setauth() in my version of HTTPAPI.
Is there a later version I need to download? (may be it is a Scott' question - Thanks Scott)
Thanks.
Re: Using Oauth2 with HTTPAPI
Glad it was useful to you.
1) For the token it has to be a POST. In fact if you try the URL you were given in a browser it will tell you that POST is required.
2) I didn't notice it either but I checked in the source code of the latest version and it was there.
Not sure when it was added but I had just upgraded to the latest which is 1.48 I think.
1) For the token it has to be a POST. In fact if you try the URL you were given in a browser it will tell you that POST is required.
2) I didn't notice it either but I checked in the source code of the latest version and it was there.
Not sure when it was added but I had just upgraded to the latest which is 1.48 I think.
-
- Posts: 7
- Joined: Mon Feb 19, 2024 6:41 pm
Re: Using Oauth2 with HTTPAPI
Thanks again! I will do POST then! I use Postman to test first.
When I replace current version of HTTPAPI with new version by replacing library LIBHTTP, will it affect existing programs that are using it currently? Will all those programs need to be recompiled?
Thanks
When I replace current version of HTTPAPI with new version by replacing library LIBHTTP, will it affect existing programs that are using it currently? Will all those programs need to be recompiled?
Thanks
-
- Site Admin
- Posts: 776
- Joined: Sun Jul 04, 2021 5:12 am
Re: Using Oauth2 with HTTPAPI
It is backward compatible, if you replace the library everything will keep working.
If you want, you can test this by installing it into a different library, and just using the library list to control which copy you're using.
If you want, you can test this by installing it into a different library, and just using the library list to control which copy you're using.
-
- Posts: 7
- Joined: Mon Feb 19, 2024 6:41 pm
Re: Using Oauth2 with HTTPAPI
Thanks Scott!
-
- Posts: 7
- Joined: Mon Feb 19, 2024 6:41 pm
Re: Using Oauth2 with HTTPAPI
Hello Scott and John
Thanks again for your help in advance.
We have another instance where we have to use Oauth2.
This is their requirement to retrieve a token
curl --location --request POST https://np.b2e.sso.53.com/as/token.oauth2 --header "Authorization: Basic Zml0Yl9uYWNo0aW9uX2NjX3N0Z19jaGk6UDVBuUExtMG5jYzR5ZWhKWGxTY0FEVU9scXZNNWpSTVdvYkNLajNhZUpEdA==" --header "Content-Type: application/x-www-form-urlencoded" --data-urlencode "grant_type=client_credentials" --data-urlencode "scope=openid read"
We have to pass two data-urlencode
grant_type=client_credentials"
scope=openid read"
We are trying using http_req as below - please see below
We are not able to pass the second parameter ‘scope : openid read’
We are using ‘&’ between those two parameters (we tried Blanks ‘ ‘, comma ‘,’ between them as well). Getting error as ‘ Invalid grant type’.
Customer is telling us two use two separate lines for parameters, but http_req has only one parameter for sending string.
Any help would be much appreciated.
URL = 'https://np.b2e.sso.53.com/as/token.oauth2';
http_debug(*on: '/ACH/ACH-diagnostic-log.txt');
http_setAuth(HTTP_AUTH_BASIC : %Trim(ClientID) : %Trim(ClientSec));
Monitor;
rc = http_req('POST'
: %Trim(URL)
: *Omit
: Response
: *Omit
: 'grant_type=client_credentials' & ‘scope : openid read’
: 'application/x-www-form-urlencoded');
Thanks
Thanks again for your help in advance.
We have another instance where we have to use Oauth2.
This is their requirement to retrieve a token
curl --location --request POST https://np.b2e.sso.53.com/as/token.oauth2 --header "Authorization: Basic Zml0Yl9uYWNo0aW9uX2NjX3N0Z19jaGk6UDVBuUExtMG5jYzR5ZWhKWGxTY0FEVU9scXZNNWpSTVdvYkNLajNhZUpEdA==" --header "Content-Type: application/x-www-form-urlencoded" --data-urlencode "grant_type=client_credentials" --data-urlencode "scope=openid read"
We have to pass two data-urlencode
grant_type=client_credentials"
scope=openid read"
We are trying using http_req as below - please see below
We are not able to pass the second parameter ‘scope : openid read’
We are using ‘&’ between those two parameters (we tried Blanks ‘ ‘, comma ‘,’ between them as well). Getting error as ‘ Invalid grant type’.
Customer is telling us two use two separate lines for parameters, but http_req has only one parameter for sending string.
Any help would be much appreciated.
URL = 'https://np.b2e.sso.53.com/as/token.oauth2';
http_debug(*on: '/ACH/ACH-diagnostic-log.txt');
http_setAuth(HTTP_AUTH_BASIC : %Trim(ClientID) : %Trim(ClientSec));
Monitor;
rc = http_req('POST'
: %Trim(URL)
: *Omit
: Response
: *Omit
: 'grant_type=client_credentials' & ‘scope : openid read’
: 'application/x-www-form-urlencoded');
Thanks