Rocket Modern Experience (formerly LegaSuite)

 View Only

Calling a REST service using OAuth2 authentication

  • 1.  Calling a REST service using OAuth2 authentication

    Posted 04-22-2022 08:36
    Edited by Roger Van Valen 07-11-2022 05:57
    So you are using OAuth and perhaps also an identity provider for authorization and authentication, and you are using services that need authentication through this OAuth2 token.

    How to set this up with Rocket MX Web?

    This example shows how an OAuth2 token can be used to collect user information from the APIs from Keycloak. Keycloak is a tool that can be configured as identity provider (OpenID) as well as OAuth2 server. The examples given are indicative as the actual code can differ based on the OAuth2 server and/or Identity provider used, and it's configuration.

    To start, either in index.htlm or in the index.jsp the code for the client of your OAuth2 server needs to be included.
    In this example this is keycloak.js and is obtained directly from the authorization and authentication server in use (a local Keycloak instance on port 8080):
    Include client code
    In this example we initiate the authorization object on start of the web client. When the user is already logged on and has a token, the OAuth2 code from Keycloak will use the already logged on details. Otherwise the user will be prompted for authentication and the client will start after this has been done.
    Execute initialization code
    Once this is done, we have stored a javascript object for authentication to the window as OAuthClient.
    This object is accessible from JavaScript and contains the token that we will need to pass to the services.
    In the example we will invoke the rest service 'openid-connect/userinfo' to get information about the current logged on user. This is an API that Keycloak provides which uses authorization using OAuth2.

    In this first example all handling is done on the JavaScript side on the client.
    A JavaScript function will get the token from the window.OAuthClient, pass this to an Http Request and obtain the user information trough the API.
    On success, it will populate a TextArea widget with the returned contents of the request.
    Example pure client script
    To call the service from the engine instead of the web browser, the token can also be passed along to an MX script function.
    As the token is known to the client in JavaScript the MX script function needs to be invoked from there and the token can be passed as an argument.

    The function in rocket MX script could look as follows:
    MX script function
    This script can be executed from a JavaScript when the hostApi is configured to allow this.
    The JavaScript can be executed from a button or other event, when it is needed that the service is being called.
    The JavaScript will need to get the token and pass it to the function, so the MX function can use it to invoke the REST call.

    JavaScript function calling the MX script function

    When using a service definition to call a REST (or other) service from Rocket MX Web, the token can be passed as extended header to the request. The token can be passed as global variable.

    In this example the global variable 'BEARER_TOKEN'  is used as variable to use in the service:
    Service definition

    To set the token just before executing the service, a short MX script can be used.
    This example has the token as argument (it will receive it again from a JavaScript function call) and sets it to the global variable 'BEARER_TOKEN'.
    Next the service will be invoked. In the example by pressing a hidden button 'BUTINVOKE'.
    MX script InvokeService()
    Lastly, again a short JavaScript is required, as the token is known in the client.
    This script will check validity of the token and will update it when expired, and then call the MX script with the token, which in it's turn invokes the REST service:
    JavaScript invoking INvokeService

    In these three examples. the token is  validated on expiration and retrieved if invalidated on every request.
    Depending on the OAuth server and configurations the global may be set and updated only when the token expires (when known), which could help to improve performance. Whether or not that can be done depends on the configuration of the OAuth server and services.

    Roger van Valen
    Senior manager, software engineering
    Rocket Software
    Dordrecht, The Netherlands
    #Authentication #LegaSuite #OAuth #MXWeb#Security #RocketModernExperienceWebedition #Service​​​​​​​​​​​​​​​​​