Page 1 of 1
Using Oauth2 with HTTPAPI
Posted: Mon Feb 19, 2024 6:51 pm
by rbharathan
Hello Scott
We are using 'Basic Authentication' method to Post transactions with our customer. Now they are requiring us to use OAuth 2.0.
We are using HTTPAPI for this. Please let us know if you have sample code to do OAuth 2.0 with HTTPAPI.
Thanks again for all your help!
Re: Using Oauth2 with HTTPAPI
Posted: Mon Feb 19, 2024 7:19 pm
by jonboy49
I have just finished working on this as Zoom has changed their APIs to use OAUTH2 instead of JWTs.
For use by tools such as HTTPAPI Zoom has implemented a Server-Server application interface which is much easier to use than the call-back mechanism that some OAUTH2 users require.
I would check with your customer if they offer a server-server interface. If they do the process is pretty simple.
1) Call the "gimme a token" API supplying your user credentials
2) Use the resulting token as the Authentication value in subsequent requests.
Depending on the validity time for the OAUTH token you may (as I have to) do two calls for each interaction.
Re: Using Oauth2 with HTTPAPI
Posted: Mon Feb 19, 2024 8:04 pm
by rbharathan
Thank you for the reply. Here are their requirements (Sorry for the Long details)
I wonder if we can do this using HTTPAPI?
Login
Each authentication is unique per supplier (depending on supplier’s business model)
Below information will be provided as part of onboarding:
• • Client_secret (Oauth2)
• • Client_id(Oauth2)
OAuth2 Token URL:
• • Content-Type: application/x-www-form-urlencoded
• Body should have below variables: o client_secret
o client_id
o grant_type
Token URL
Method Env URL
Get QA
https://login.microsoftonline.com/tmnat ... uth2/token
Get PROD
https://login.microsoftonline.com/toyot ... uth2/token
Production API URL
Method Env URL
Get QA
https://api.dev.scs.toyota.com/spbapi/rest/
Get PROD
https://api.scs.toyota.com/spbapi/rest/
Header
Params Values
Content-Type application/x-www-form-urlencoded
Request
Sample request
client_secret: Provided_by_tscs_team
client_id: Provided_by_tscs_team
grant_type: client_credentials
Response
Status Response
200 {
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1624641712",
"not_before": "1624637812",
"access_token": ""
}
Header for all request
For every request below are the required:
• • Use HTTPS only
• Header: o Content-Type: application/json
o Authorization: Pass access_token from token response with “Bearer “ (Bearer eyJ0e……..)
Re: Using Oauth2 with HTTPAPI
Posted: Mon Feb 19, 2024 8:59 pm
by jonboy49
It looks like a server-server setup and somewhat similar to mine but I don't have to mess with form-encoding. Luckily HTTPAPI has that feature available although I've never needed to use it. There is at least one example that uses it in the LIBHTTP RPG sources.
Scott is WAY more knowledgeable than me on this stuff Hopefully he'll correct me if I've misread it.
If I understand it correctly they are giving you two different endpoints to call to obtain the OAUTH token for prod and QA.
This is my code for obtaining the token. I've marked where I think yours will be different.
Code: Select all
Dcl-Ds OAUTH_DATA; << Modify this to match your token layout
access_token varchar(2000);
token_type varchar(40);
expires_in int(10);
scope varchar(1000);
End-Ds;
response = http_string( 'POST' :
url:
*Omit: << I believe you would replace this with the variable comntaining your encoded form data
'application/json'); << and this with 'application/x-www-form-urlencoded'
data-into OAUTH_DATA %Data( response : 'case=convert')
%Parser('YAJL/YAJLINTO');
That gives you your token which you will use like this for all subsequent service calls. You may be able to make multiple calls with a single token - in the example yours appears to time out in an hour - assuming it is in seconds.
Code: Select all
// Set authority type to BEARER (passes in OAUTH token)
http_setauth(HTTP_AUTH_BEARER : null : token ); << Where I defined null as a one char variable
You might you ask them for Swagger (Open AI) docs for the services. That way you can use Postman or whatever to test the service.
Re: Using Oauth2 with HTTPAPI
Posted: Mon Feb 19, 2024 11:12 pm
by rbharathan
Thank you!, this is very helpful. Couple of quick questions..
1. Do I do a 'GET' to get the token instead of the 'POST' in http_string() ?
2. I do not see HTTP_AUTH_BEARER as a parameter for http_setauth() in my version of HTTPAPI.
Is there a later version I need to download? (may be it is a Scott' question - Thanks Scott)
Thanks.
Re: Using Oauth2 with HTTPAPI
Posted: Mon Feb 19, 2024 11:59 pm
by jonboy49
Glad it was useful to you.
1) For the token it has to be a POST. In fact if you try the URL you were given in a browser it will tell you that POST is required.
2) I didn't notice it either but I checked in the source code of the latest version and it was there.
Not sure when it was added but I had just upgraded to the latest which is 1.48 I think.
Re: Using Oauth2 with HTTPAPI
Posted: Tue Feb 20, 2024 6:37 pm
by rbharathan
Thanks again! I will do POST then! I use Postman to test first.
When I replace current version of HTTPAPI with new version by replacing library LIBHTTP, will it affect existing programs that are using it currently? Will all those programs need to be recompiled?
Thanks
Re: Using Oauth2 with HTTPAPI
Posted: Tue Feb 20, 2024 7:58 pm
by Scott Klement
It is backward compatible, if you replace the library everything will keep working.
If you want, you can test this by installing it into a different library, and just using the library list to control which copy you're using.
Re: Using Oauth2 with HTTPAPI
Posted: Tue Feb 20, 2024 9:57 pm
by rbharathan
Thanks Scott!