Hello there,
We have a requirement to use OAuth2.0 access token for the RESTful web service AFX connector.
Could anyone please help me with the configuration under the settings tab for the parameters and how to it for the login capability?
thanks,
Neeraja Mahajan
The basic settings you need for any OAuth2.0 client are:
You need to get the above details from your endpoint (depending on what it is).
Depending on your endpoint, if you need to pass extra parameters for the OAuth2.0 token request, use the Add More Parameters button.
After you fill in your OAuth2.0 details, click the Get OAuth2.0 Access Token so the connector can get the token.
Make sure your endpoint provides some sort of refresh token along with the access token so that the IGL OAuth service can auto-refresh the access token before it expires. For example: MS Azure Graph API requires adding the offline_access scope so that it returns a refresh token with the access token.
Here is an example from my lab's MS Azure Graph API connector:
To reference the OAuth2.0 token in your capabilities, all you need to do is add an extra header as seen below:
The header and variable names/values are case sensitive. Please copy paste them exactly as shown below.
Authorization: Bearer ${Settings.access_token}
Here is an example from one of my capabilties for the same connector above:
If you only need the OAuth2.0 token to call your capabilities, then you do not need to use the Login capability at all.
You only need to use the Login capability if your endpoint requires the OAuth2.0 token first to generate a session token, then use that session token in the actual capabilities.
Hope this helps!
Thank you Mostafa Helmy ,
this was very much useful, i will ask the important parameters for the configuration to the team and try to configure it.
thanks again,
Neeraja Mahajan
Hello Mostafa Helmy ,
I have another question on this scenario, can we use this, as a POST call for the login capability of the connector?
because, we do not have Access Token URL and GET method is not allowed for the request.
Thanks,
Neeraja Mahaja
I'm not sure, but I don't think you can use the Login capability to get the OAuth token.
If this is standard OAuth2.0, you should not have any problems with it.
Hi Neeraja,
If your ask here is to get dynamic token through login capability, then you can use the POST Method with request header and body. Assuming that the POST method would give the access token in the response.
You would need to query the access token from the API response.
eg:
This access token can be made use of, in other AFX capabilities :
hello Jesvin Joseph ,
Yes, as we are not getting the expected results without Access Token URL.
Will try that and will get back to you if this works.
Would you please let me know a sample request and response parameter too to implement this?
Thanks,
Neeraja Mahajan
Can I replicate the following Postman request, with an empty body using Login capability of RESTful connector for OAuth2 access token:
PS: here Username and Password are the ClientID and ClientSecret.
I get error like "Failed to process Expression Evaluation "json:access_token" , if i follow what you suggested.
Please advise!
Thanks,
Neeraja Mahajan
Hi Neeraja,
You would probably need to pass the client ID & Secret as part of this login API call. The Client ID and secret that you have passed in the settings page will not be taken up automatically.
Also, try debugging the AFX logs - 000030219 - How to turn on debug logging to troubleshoot AFX connectors in versions 7.0.1 and higher of RSA Identity Governance & Lifecycle
Here is a sample :
Thanks for the quik response Jesvin Joseph , however we have 2 URLs here, one for the Application's and Authorization URL for OAuth2 access tokens.
Can I use the Authorization URL in the path of the Login capability?
I tried the solution you have provided, but there is no go
Thanks,
Neeraja Mahajan
No that is not possible. All capability paths are relative to the main URL in the settings.
Sorry but I don't understand why are you not able to use the standard OAuth2.0 request in the Settings area? It seems you are trying to reconfigure the same thing in the login capability while it should work if you simply use the OAuth2.0 part.
Hello Mostafa Helmy ,
According to the parameters provided to us from the application team, we just have access token URL with client id and client secret and host of the application with its API paths, hence it is not working as the connector expects Authorization URL too.
When I try to configure both in one connector it doesn't work for me.
Can you advise me on how to proceed further?
Thanks,
Neeraja Mahajan
That doesn't sound like the standard OAuth 2.0 authentication flow.
It might be a different type of OAuth flow, but I believe we do not support that today.
Yes, we have a different host for OAuth2.0 and a different one for Application.
The application is independent host, but it utilizes the OAuth2.0 bearer access token for authorization.
It was because of this reason I wanted to use Login to get the access token which I am able to get.
I m using OAuth2.0 host in the connector settings and configured Login to get OAuth2.0, in Create Account capability I am using Application's URL.
I m able to get OAuth2.0 access token and it is getting passed in Create Account request header, but it fails as in the common settings there is a different Host, unknown to the Application.
Is there a way we can override the host in the Create Account request header? if yes I can ask my application team to modify the request header accordingly?
Let me know, if what I am thinking can be a workaround?
Thanks,
Neeraja Mahajan
Another workaround I thought was using Rest Node in workflow, getting the Access token in a workflow variable and passing it to another Rest Node to create an account, but there is no JSON response type variable present
Hi Neeraja,
Have you thought about creating two AFX connectors, one pointing to the OAuth2.0 host and path and the second connector pointing to the application.?
You can then call the connector 1 in a provisioning command node, take the token response and then use it in the workflow to pass it on to the session token parameter of the second connector.
This is in theory, I have not set it up myself. Hope it works for you.
Hello Jesvin Joseph ,
Yes I have made two connectors and they work well, I need to check in which variable i can get the response of OAuth2.0 connector, need to check in which variable it will be captured.
Hi Neeraja,
Not sure if the REST response gets captured in any variable.
Mostafa Helmy may be able to help you here.
The Table - t_av_afx_request_history contains the AFX responses, check if you can query the response value from there.
Hello Jesvin Joseph and Mostafa Helmy ,
Could you please help me in capturing the response in the REST node in workflow, I get 200 OK but with "Invalid configuration".
Please find the screenshots of my workflow:
I am trying to capture the Session Token in the REST node's response.
I have also raise RSA Case for this, waiting for the solution.
Thanks,
Neeraja Mahajan
Sorry I've been very busy lately. I can tell you that what you are trying won't be possible for the following reasons:
It's all unlucky You can create an idea on RSA Ideas for RSA Identity Governance & Lifecycle to support your type of OAuth in our AFX REST connector.
Thanks for the update Mostafa Helmy !
I have tried all the ways now , the only way left is keeping a provisioning and storing the response of provisioning command somewhere in the database and using it later. Will this approach work? If yes, could you please tell me how to save the result generated from provisioning command node in the database, which table it will affect?
Thanks,
Neeraja Mahajan
The basic settings you need for any OAuth2.0 client are:
You need to get the above details from your endpoint (depending on what it is).
Depending on your endpoint, if you need to pass extra parameters for the OAuth2.0 token request, use the Add More Parameters button.
After you fill in your OAuth2.0 details, click the Get OAuth2.0 Access Token so the connector can get the token.
Make sure your endpoint provides some sort of refresh token along with the access token so that the IGL OAuth service can auto-refresh the access token before it expires. For example: MS Azure Graph API requires adding the offline_access scope so that it returns a refresh token with the access token.
Here is an example from my lab's MS Azure Graph API connector:
To reference the OAuth2.0 token in your capabilities, all you need to do is add an extra header as seen below:
The header and variable names/values are case sensitive. Please copy paste them exactly as shown below.
Authorization: Bearer ${Settings.access_token}
Here is an example from one of my capabilties for the same connector above:
If you only need the OAuth2.0 token to call your capabilities, then you do not need to use the Login capability at all.
You only need to use the Login capability if your endpoint requires the OAuth2.0 token first to generate a session token, then use that session token in the actual capabilities.
Hope this helps!