Inbound Rest endpoint restricted to OAUTH Authentication

James Proske · ‎12-04-2018

I am having difficulties understanding OAUTH for inbound Rest Requests. I believe I understand the value of OAUTH but must be missing a concept or configuration.

I started with a scripted REST API using basic authentication. This is for a system to system interface and our internal security requires only a single user profile to be able to access this endpoint. To that end we setup an ACL and required the resource to use that ACL, which was granted to the single user profile. This works as advertised as no account other than the one with that ACL (associated through a role) is able to use the endpoint.

What I do not understand is how to constrain my scripted REST API to require OAUTH for authentication and not permit basic authentication. I can create an OAuth API endpoint. Here it requires my username and password to obtain the tokens (refresh and access). The tokens are then used in the header for the REST POST to my endpoint. My questions are:

Is the issued tokens somehow associated to the user that obtained the access token? How/where is this related? I can see by getting tokens with different people and each request uses the proper authentication. What I cannot see is what token goes to what user profile. Sounds like for a security perspective I should be able to see this.

What stops the use of basic authentication. As the user I can still consume the service using basic authentication? Is this normal?

Thanks.

ARG645 · ‎12-05-2018

I agree with you.

An OAuth incoming request will have an Authorization header with Bearer token (basically access token prefiexed with the word Bearer) below is the example

Authorization: Bearer 2Bbl7miNvmzQbqCXYunzTzyfLCW8CSAX4V_

A Basic Authentication request will have an Authorization header that begins with the word "Basic" below is the example

Authorization: Basic QXZhdHVyZVN1cHBvcnRVc2VyOmF2YXR1cmVfMTVVc2Vy

I don know how to tackle this situation if you are using OOB Table API's, but if you are using Scripted Rest API for Inbound requests, then in the script part of the Scripted API Resource put in the below lines of code to restrict Basic Authentication

(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
	
        var headers = request.headers; 
        var authHeader = headers.authorization;
        if(authHeader.indexOf("Basic")> -1)
        {
           return { "response" : "Basic Authenctiaction is not supported"};
        }
	var requestBody = request.body;
	var requestData = requestBody.data;
	// Your code continues .......
	
})(request, response);

Hope this answer will atleast help you achieve some of your requirements.

Thank you,

Aman Gurram

View solution in original post

p_espinar · ‎12-04-2018

Hello James,

I do not know if this is your question but I think oauth works the following way: the first request send username/password together with the token request, Then SN answer with a token with the permissions of such username/password "transferred" to the token. Then the subsequents request you only need the token until his end of life or refresh it.

As far as I know, I think there is no way to disable basic authentication.

Un saludo,
Pablo Espinar
Consultant at Econocom Spain

Please mark this response correct if I've answered your question. Thanks!

James Proske · ‎12-05-2018

That would be disappointing as we then cannot control the security, what would the benefit be of allowing OAUTH for inbound requests if any authentication methods will work

ARG645 · ‎12-05-2018