scottklement.com

Hi all,
i have application that uses HTTPAPI. Here are functions i use and every thing working fine.
http_setOption( 'Content-Type' : 'application/json' );
http_setOption('Accept':'application/json');
http_setauth(HTTP_AUTH_BASIC:%Trim(UserID):%Trim(Password));
rc = http_req( 'POST': url: *omit : result : *omit : postdata);


Want to use HTTPAPI for another application which uses OAuth 2.0 protocol for authentication and i do not know what functions to use to do this 2 step authentication, please help...

Here are documentation from API hosted site stamps.com: https://developer.stamps.com/rest-api/r ... qs_connect

SERA uses the industry-standard OAuth 2.0 protocol for authentication. Completing the authentication procedure for access to SERA requires a few steps.
1. Login: Application presents the server-hosted login page to the user in a browser.
2. Redirect with Authorization Code: Once the user logs in and authorizes the application, an authorization code is returned to the application.
3. Initial Token Generation: Application uses authorization code to generate the initial set of access and refresh tokens.
4. Refresh Token: Application uses the stored refresh token to generate a new access token as needed.


Authentication:
In order to access SERA, integrations must call the API with a valid access token. Access tokens can be generated with a valid authorization code from a user's login event or with an refresh token from an earlier login. The endpoints below detail how to login to receive an authorization code and how to turn that code into a valid set of access and refresh tokens.

Authorization URL: https://signin.testing.stampsendicia.com/authorize
Token URL: https://signin.testing.stampsendicia.com/oauth/token
Refresh URL: https://signin.testing.stampsendicia.com/oauth/token


Get Authorization Code:
Integrators call this endpoint to receive a 302 redirect to a hosted HTML login page. Once the user completes the login page, they will be redirected to the URL specified in redirect_uri with an authorization code contained in the code query parameter. For example, if the redirect_uri is "https://www.stamps.com", the user will be directed to "https://www.stamps.com/?code=<AuthorizationCode>" on successful login. Use this authorization code to generate an access_token.

QUERY PARAMETERS:
client_id
string
Client ID
Identifies the integrated application connecting to SERA

response_type
string
Value: "code"
Example: response_type=code
Response Type
Set to code for the authorization code flow

redirect_uri
string
Redirect URI
The login page will redirect to this URI on successful login

scope
string
Value: "offline_access"
Scope
Specify this scope value as offline_access in order to receive a refresh_token in the response

Responses:
302
Found

I use HTTPAPI for OAUTH2 authentication with the Zoom APIs and it works fine.
Have you checked this thread? https://www.scottklement.com/forums/viewtopic.php?t=439

There are others on the topic as well if you search for OAUTH.

The process is basically:

Make a call to the OAUTH token generation API
Use the resulting token as your authentication value in subsequent requests.

Hello John/Scott,
did go through other posts and tried different options but not able to make it work. I am able to figure out to get authorization code from the website, now got to get access/refresh token using https://signin.testing.stampsendicia.com/oauth/token API call using following parameter(based on providers documentation)
Request:
{
"grant_type": "authorization_code",
"client_id": "string",
"client_secret": "string",
"refresh_token": "authorization code returned from the browse"
}
which should return given below in the response
Response:
{
"access_token": "string",
"refresh_token": "string",
"id_token": "string",
"token_type": "string",
"expires_in": "string"
}

Here is how i am calling the api using HTTPAPI and getting error "HTTP/1.1 400 Bad Request " and looking into further in log, it says "invalid json" possibly the way i am sending request is not right.

Here is my code:
http_setOption( 'Content-Type' : 'application/json' );
http_setOption('Accept':'application/json');
postString = 'grant_type=authorization_code' +
'&client_id=' + http_urlEncode(%Trim(UEPCID)) +
'&client_secret=' + http_urlEncode(%Trim(UEPCSC)) +
'&refresh_token=' + http_urlEncode(%Trim(#Aut_Code));
rc = http_req( 'POST': urt: *omit : result : *omit : poststring);

Here is the debug log:
Protocol Used: TLS Version 1.2
http_persist_req(POST) entered.
http_long_ParseURL(): entered
http_long_ParseURL(): entered
do_oper(POST): entered
There are 0 cookies in the cache
POST /oauth/token HTTP/1.1
Host: signin.testing.stampsendicia.com
User-Agent: http-api/1.43
Content-Type: application/json
Accept: application/json
Content-Length: 211
senddoc(): entered
grant_type=authorization_code&client_id=aShxEuPdB9LKOtp23OjnzsPIn4vX&client_secret=vxDH1YlIwttLJSBDDzy4Mh9AvhA8qWEYzsawsJ6Gi1HSJiTsvuWggo4Vqye6&refresh_token=TjqgTsRKjeSjlWhmKONmcV8lrP7-SZhZUYdXEq2Eu
recvresp(): entered
HTTP/1.1 400 Bad Request
Date: Thu, 01 Aug 2024 00:24:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12
Connection: keep-alive
CF-Ray: 8ac1aede8a743b30-IAD
CF-Ray: 8ac1aede8a743b30-IAD
CF-Cache-Status: DYNAMIC
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-c
ETag: W/"c-Jvsz6bZlHV2qtnXjM/ExsFfoozA"
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Auth0-RequestId: 60482483deb15ad1bce6
X-Content-Type-Options: nosniff
Server: cloudflare
alt-svc: h3=":443"; ma=86400

SetError() #13: HTTP/1.1 400 Bad Request
recvresp(): end with 400
recvdoc parms: identity 12
header_load_cookies() entered
header_load_cookies() entered
recvdoc(): entered
SetError() #0:
recvdoc(): Receiving 12 bytes.
invalid json
SetError() #13: HTTP/1.1 400 Bad Request
http_close(): entered

You've told it that you're sending a JSON document, but you're not, you're sening URL-encoded name/value pairs.

You even tell us at the start of your message that the data should look like this: But then when you send it, you send this: Can you explain why you aren't sending the JSON?

There was no intention not to send json but just reading different articles I thought this is the way I can make call. Did change the code as given below. Looks like api server is able to understand my request but giving me error ("Invalid redirect_uri) possibly expecting some thing else in my request.

According to provider documentation to call https://signin.testing.stampsendicia.com/oauth/token , just these 4 parameters required as I explained in previous post. This API takes authorization code under refresh_token parameter and supposed to return access token and refresh token.

Additional info on authorization code and redirect_uri: Provider has given me client id and secret that is tied to Redirect uri. Firt step is to get authorization code using user_id, password provided by vendor which does return authorization code to the redirect URL(which is our URL we have provided vendor to associate with client ID/secret). I got authorization code using browser by signing in to
https://signin.testing.stampsendicia.co ... ine_access
which return value into redirect URL
https://www.essilor.com/us-en/?code=i5t ... HISnxapw8w
and this authorization code is used in oauth/token api


Code:
http_setOption( 'Content-Type' : 'application/json' );
http_setOption('Accept':'application/json');
postString = '{ "grant_type": "authorization_code", ' +
'"client_id":' + #Qd + %Trim(UEPCID) + #Qd + ','
'"client_secret":' + #Qd + %Trim(UEPCSC) + #Qd +
'"refresh_token":' + #Qd + %Trim(#Aut_Code) + #Qd + '}';
urt = ‘https://signin.testing.stampsendicia.com/oauth/token’
rc = http_req( 'POST': urt: *omit : result : *omit : poststring);


Sent:
{ "grant_type": "authorization_code", "client_id":"aShxEuPdB
9LKOMQxJnzsPIn4vX","client_secret":"vxDHSBDDo
6zxzy4Mh8qWEYzuWggo4Vqye6","refresh_tok
en":"hLP1LcX9IVsNzw-T3tTV7HRwg"}

Received:
{"error":"invalid_request","error_description":"Invalid redi
rect_uri. Expected type 'string' but found type undefined."}

Debug log:
Protocol Used: TLS Version 1.2
http_persist_req(POST) entered.
http_long_ParseURL(): entered
http_long_ParseURL(): entered
do_oper(POST): entered
There are 0 cookies in the cache
POST /oauth/token HTTP/1.1
Host: signin.testing.stampsendicia.com
User-Agent: http-api/1.43
User-Agent: http-api/1.43
Content-Type: application/json
Accept: application/json
Content-Length: 232
senddoc(): entered
{ "grant_type": "authorization_code", "client_id":"aShxEuPdB9LKOMQxJtp23OjnzsPIn4vX","client_secret":"vxDH1YlIsJ6Gi1HSgo4Vqye6","refresh_token":"hLP1LczNcylbxV7HRwg"}
recvresp(): entered
HTTP/1.1 400 Bad Request
Date: Thu, 01 Aug 2024 02:19:31 GMT
Content-Type: application/json
Content-Length: 120
Connection: keep-alive
CF-Ray: 8ac25800388f8006-IAD
SetError() #13: HTTP/1.1 400 Bad Request
recvresp(): end with 400
recvdoc parms: identity 120
header_load_cookies() entered
cookie_parse() entered
recvdoc(): entered
SetError() #0:
recvdoc(): Receiving 120 bytes.
{"error":"invalid_request","error_description":"Invalid redirect_uri. Expected type 'string' but found type undefined."}
SetError() #13: HTTP/1.1 400 Bad Request
http_close(): entered

I'm sure you've been to websites that have options that let you "sign in with Google" or "sign in with Facebook" something like that, right? Well, that's OAuth 2.0. One of the ways OAuth can be used is by having you call an authorize API, which in turn redirects the web browser to a site... I used Google and Facebook as examples, but in this case it's probably the stamps site. So a web page comes up, the user then has to agree that the site requesting auth is allowed to use whatever features in the service. Then that page redirects back to your application.

So that is what the redirect uri would be used for... to tell whatever site is authenticating where to redirect back to.

This is VERY complex to set up in RPG because RPG doesn't run in a web browser. So how is it going to display a web page for your user to authorize you in?

I've made it work in the past by opening the browser (using something like STRPCCMD if running in a green-screen) and then after the authorization is done, have it redirect back to a custom-written program running on your IBM i. Then that program can accept the authorization info and send it (via data queue, for example) back to the original RPG program that started the process.

But it's really complex. This sort of scenario is really NOT designed for server-side usage -- it's designed for an application that runs interactively in a browser. It's not a problem if you are writing a web application (using CGIDEV2, eRPGSDK, or any of the various commercial tools designed for writing web apps from RPG) but not so easy if you are working in a green-screen or non-interactive program.

You might see if this site has another way. For example, Microsoft 365 supports the "redirect" method that you're describing and they call it "working on behalf of a user", but you can also do it with an "authorized application", where it doesn't need to work in conjunction with a browser. Both are OAuth 2.0. But doing it without a browser involved will make this much less difficult.

Hello Scott,
thanks for giving insight. I forgot to give this detail in my previouspost.

I kind of thought it will be difficult to handle redirect option in RPG. So already have plan discussing with provider is not to get authorization code with in RPG but to use web browser one time, get authorization code which is valid for a minute.
So the steps are:
1. User web brower, get authorization code by providing user ID and password (i am going that)
2. Use that authorization code in RPG to call oauth/token to get access token and refresh token
{
"grant_type": "authorization_code",
"client_id": "string",
"client_secret": "string",
"refresh_token": "authorization code returned from the browse"
}
3. Store refresh token in as400 database (this is parmanent, never expiry).
4. Above mentioned 3 steps are one time and i have refresh token stored in my database
5. Every time(when ever i need to make abel API call), first i call oauth/token to get latest access token by passing refresh token(this is to ensure my label API call does not fail because of expired access_token)
5.1 First i call oauth/token with grant_type "refresh_token" to get latest access token as given below
{
"grant_type": "refresh_token",
"client_id": "string",
"client_secret": "string",
"refresh_token": "refresh token that was stored in local database from the first call with auth code"
}
5.2 label API call passing latest retrieved access_token passing Authorization: Bearer "latest access token"

My current failure is in step2. According to provider documentation 2 parameters (authorization code in 4th parameter is passed, i am expecting result access_token and refresh_token with
{
"access_token": "string",
"refresh_token": "string",
"id_token": "string",
"token_type": "string",
"expires_in": "string"
}

This design we(me and provider stamps.com) cameup couple of days back and they said it should work fine. But now this step2 call (to get access/refresh token, why talking about redirect_URI, not sure (need to talk to provider)?

Note: Redirect_URI should be only involved to get authorization code which i am doing in the browser (one time out side RPG code) and getting authorization code that i am using in RPG to call oauth/token to get access/refresh token.

Want to mention that after i get authorization code, i am running RPG program to call oauth/token API with in seconds (providing authorization code) to ensure authorization code does not expire.

You should ask stamps.com if they offer a server to server OAUTH option. I encountered similar problems to yours with Zoom but once I discovered the server option it was trivial.

The interface you are using is intended for browsers - not really for system to system. See if they offer that option. If not there are ways of doing it without manually using the browser but it is messy.

You should ask stamps.com if they offer a server to server OAUTH option. I encountered similar problems to yours with Zoom but once I discovered the server option it was trivial.

The interface you are using is intended for browsers - not really for system to system. See if they offer that option. If not there are ways of doing it without manually using the browser but it is messy.