Re: Web Services API authentication question...

HTTPAPI is an HTTP transfer tool. It is not specific to web services, it can be used for any sort of HTTP communications. This has served us well because when REST web services became popular instead of SOAP, HTTPAPI was all ready to do them. (Whereas the IBM IWS tools, for example, needed a major rewrite.) Likewise, HTTPAPI can be used to upload/download files, read web pages, etc... there's nothing specialized to web services in HTTPAPI. To do the web service logic, you have to write your own code to calculate the document and it's contents, and then you can use HTTPAPI to send/receive it.

OAuth is no different in this respect. HTTPAPI does not know anything about OAuth, but if you can write/download/buy routines that do the OAuth calculations, you can use HTTPAPI to send/receive that data from the HTTP server. I can show you how to add an 'Authorization:' header, that's not difficult -- the difficulty is coming up with the data to put into the header.

I have not personally run into the need for OAuth, so have not coded it. I do know that other people have done so, or at least done similar things. I also know of some web services that have invented their own authorization scheme that's only used by them, and I have assisted people with implementing that in HTTPAPI as well. It always goes the same way, they have to find/write the routines to calculate the values, and I show them how to stick those values into the request sent by HTTPAPI.

I know that's not as helpful as you want -- I can't point you specifically towards how to do it. But, maybe helps you understand?

I would suggest perhaps looking at the archives of the HTTPAPI/FTPAPI mailing list to see if someone has posted examples of OAuth. Or even maybe join the list and ask the people there -- as there are a lot more people using HTTPAPI on that list than there are in these forums.

Archives: http://www.scottklement.com/archives/ftpapi/
List signup: http://www.scottklement.com/mailman/listinfo/ftpapi

Re: Web Services API authentication question...

Scott - thanks for the quick response and explanation. You have helped me quite a bit in the past with HTTPAPI and other tools.

They are telling me it's as simple as adding "Authorization: OAuth2" (followed by a token they provide) to the header of the XML document I'm going to put/post.
I will look through the archives link you provided.

Re: Web Services API authentication question...

To do that, you would code a subprocedure like this:
Before calling a routine to run your post/get request, you need to register this subprocedure with HTTPAPI like this:
When HTTPAPI does the post/get request it will call the subprocedure you specified (named 'AddHeader' in this example, but you can call it anything you like as long as the %paddr() above matches the name you used and the parameters match.) It will take whatever this subprocedure outputs and add it into the HTTP headers for your request.

So you can see it's very easy to add the header in. The tricky part is coming up with the value for the token -- but I guess if they're just going to give you one that never changes and you just have to hard-code it into your program, it should be easy enough.

Re: Web Services API authentication question...

Thank you (again) Scott!
I almost got there reading the mailing list archives... I just wasn't sure how the http_xproc() worked.

I typically store the token in a table somewhere - they do sometimes change.

I will try that and update this thread accordingly... might be a few weeks from now.

Thanks again,
Greg

Re: Web Services API authentication question...

Hi, Greg.

This thread caught my eye so I thought I'd throw in my 2cents.

We have written a few applications now that use OAuth 2.0. Mainly ones that use Google and Microsoft APIs for working with things like Google Drive, One Drive, Google Calendar, GMail, etc. All of these APIs require OAuth 2.0.

The good thing is yes, HTTPAPI (or our GETURI product) should work just fine with this as it's simply additional data in the HTTP headers and/or making the request proper to the spec of the service provider.

What you do need to worry about is the token and you should also have a refresh token and a token expiration date. So, each time you need to make a call using OAuth2 you'll want to check the expiration date compared to the current date and refresh the token if needed.

I actually found that checking it for at least 15 minutes left and refreshing it then works a little better.

So, each one of my calls that requires OAuth 2.0 looks like this:

1. Check token expiration date vs todays day
2. If expired or will expire within 15 minutes, request a new token (you send the refresh token with this). You'll then retrieve a new token, refresh token and expiration date
3. Make your call using the current token

Here's a request for refreshing a token (this example is using Google Cloud Print)

Some JSON data is returned which we parse out to get the new token, refresh token and expiration date of that token.

The nice thing about Google is they put together a playground for OAuth 2.0 which you can also learn a lot from.

I almost forgot... a request using an access token would look like this:

This is a request to list available google cloud printers for a specific ID. The "Authorization" header is used to pass along the Access Token

Re: Web Services API authentication question...

[QUOTE=Scott Klement;79832]To do that, you would code a subprocedure like this:
Before calling a routine to run your post/get request, you need to register this subprocedure with HTTPAPI like this:
When HTTPAPI does the post/get request it will call the subprocedure you specified (named 'AddHeader' in this example, but you can call it anything you like as long as the %paddr() above matches the name you used and the parameters match.) It will take whatever this subprocedure outputs and add it into the HTTP headers for your request.

So you can see it's very easy to add the header in. The tricky part is coming up with the value for the token -- but I guess if they're just going to give you one that never changes and you just have to hard-code it into your program, it should be easy enough.[/QUOT


This would be great for AS2 communications. Im a java developer and was considering writing an System I AS2 java interface with RPG.

AS2 is used for secure edi data transfer using certificates between partners. Many trading partners require it.

I think my requirements are to go in the opposite direction. We have a company Portal which is an ExtJS front-end and System i backend, using the HTTP servers. We use a home grown method of receiving and authenticating our users. We would now like to do some type of SSO for our sales people coming in from Salesforce and our customers coming in from a Magento eCommerce site.

Does anyone have suggestions on which road(s) to go down? It's all a blur to me.

Thanks.
Mike