- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 12:05 PM
Some services I am working with require a REST Post to an authorization endpoint obtain a session token to be used in the header in subsequent REST calls. The authorization endpoint requires the account credentials to be passed in a JSON object in the request body.
This can be accomplished easily enough in SnapLogic by using a JSON Generator and a REST Post Snap.
However, this is not ideal from a security or account management perspective because the account credentials are stored directly in the pipeline in plain text and not as an account object.
Is there a better way to store credentials and use them in a pipeline for services that use this kind of authentication pattern?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2020 04:26 PM
@jervin @Spiro_Taleski @kamalaker.pinna Actually this is possible but this is somewhat of an undocumented feature that does not have finished integration with our UI - however I will describe how this can be done with the REST Snap Pack’s Basic Auth and OAuth accounts.
The REST Snaps (POST/GET etc) are able to reference the account configured on the Snap through a special account variable, account
.
This is different that how standard variables are referenced; per-document variables that come from an input document have the "$"
prefix (e.g. $someField
, whose value can be different for each input document to the Snap) and pipeline variables, called Pipeline Parameters, that are static for the pipeline execution lifecycle and denoted with the underscore prefix (e.g. _someParameter
).
However, if a field is expression-enabled and uses a value of account
in the REST Snap Pack, a reference to the account (if compatible) can make some fields from that account accessible to the Snap configuration.
Unfortunately our UI integration here is incomplete here for Basic Auth and it will generate a UI error, but the account data binding will actually work correctly.
So for a Basic Auth account, you could do the following:
The account.username
and account.password
account variables will bound to their respective values and then sent as part of the HTTP request body.
For OAuth 2.0 accounts, the only account variable field available is account.access_token
(which is mentioned on the documentation) - this gives access to the OAuth access token.
It may be possible to use this technique to simplify and secure your solution, but it does have some downsides in terms of our product interface experience plus the complications that can arise when the Snap attempts to use the account credentials in the way it expects in addition to the customizations made to the request by the user.
Perhaps you can try this out and let me know your feedback please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2020 12:48 PM
@kamalaker.pinna yes, I hinted at this wrinkle in my last post - my concern is leveraging a Basic Auth account (that is what you are using, correct?) to use for non-Basic Auth authentication will result in a “Authorization” header still being added to the request and the Docusign API complaining about that.
(Perhaps you could confirm by adding an Authorization header in Postman with a “Basic XYZ” random value and observing whether the API complains in the same way. If so, does it do the same if the Authorization header value is empty?).
However, I see you are using the Legacy Authentication mode with DocuSign. I just tried to do the same but it seems that that auth mode is no longer officially supported with REST API v2.1.
I did set up an OAuth flow with DocuSign and was able to successfully authenticate and retrieve account data with the REST GET and REST OAuth 2.0 Snap Account - would you like me to document how to do that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2020 11:17 AM
Please read account.passowrd as account.password.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2020 11:48 AM
@kamalaker.pinna I think you need to click the ‘=’ button to enable the expression.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2020 12:33 PM
Thanks @Jervin, API call is failing even after changing the expression but this time i am able to see the credentials substituted from the account ref functions.
Whole point to refer account is to access the encrypted password in a secure way but when the pipeline fails SnapLogic is publishing the credentials (Clear Text password’s) in the error log which is again a security concern for us.
Is there any other way?
Thanks,
Kamal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2020 12:58 PM
@robin, Yes i am using REST Basic Auth Account.
Please help with the document.