External rest data source authentication issue

I am having trouble connecting to a rest data source. It seems to be connecting to the right end point, but the only field it returns is the “message” field and when I add the message field to a table, the message field populates with “Authorization has been denied for this request.” I have checked my user name and password several times. I have tried different settings for the data connection, but they all result in error messages that the data resource could not be found. Any Ideas?

Do you know what the expected authentication/authorization flow of your REST service is? And how credentials/tokens are supposed to be passed to the service? If so, please let us know so that we can advise you on how to accomplish that with Skuid.

===

More depth:

REST service authentication/authorization can be very complicated.

First, you need to determine how the REST service handles authentication and authorization.

If the REST service uses OAuth (or something like it), then you will need to communicate with an authentication service to exchange your authentication credentials (e.g., username and password) for an authentication token. You’d then exchange the authentication token with your resource service to get an access token (basically, a session Id). Only when you have the access token can you begin requesting data from the service.

Some REST services handle both authentication and authorization, but in separate steps. You’d call one function on the REST service to login, at which point you’d get an authorization or session token, then you’d use that token in lieu of credentials for your remaining requests.

Some REST services simply expect your credentials with every single request, and re-verify those credentials every time a function is called.

Once you’ve figured out your authentication/authorization flow, you still need to determine how the REST service expects to receive those credentials/tokens. Should they be included as URL parameters, in the request header, in the body? While some authentication flows have a specification (like OAuth and HTTP Basic Authentication), there’s no guarantee that your service perfectly obeys those specs. For example, popular services like Facebook have authentication flows that closely resemble OAuth but are different enough to be incompatible.

Skuid was designed to be very flexible and work with a wide variety of authentication/authorization flows, so once you’ve determine the correct way to authenticate/authorize your user with the service, it should be possible to set that up in Skuid.

Thank you for the response. Your explanation helped me understand what is happening ( I think). Authentication seems to be working with “Shared User Name: Separate Authentication URL”, but then I need to retrieve the token and pass it in the header of each call. I see the Headers to send with every request section, but I can’t do anything with it. Under “Object” the only thing listed is “Blank Object”. Any guidance on how I can accomplish the connection would be greatly appreciated. Thanks

Hi Raymond,

The JSON Editor that we have right now is pretty unintuitive. You have to click on the “menu” icon to the left of the (empty object) label. Then you can click “Append”. After that, you can put in the headers that you need. For the “value” part of the header, you will probably want to merge in a value from your previous authentication request. It will be something like this…


{{$Auth.Response.Body.myToken}}

or this…

{{$Auth.Response.Headers.myResponseHeader}}

Ok, thanks. I tried both of those header values and got no satisfaction. Is there a way to find what the merge variable would be for my particular case? My auth URL end point is /security/token if that helps… Thanks

You will need to inspect the payload and headers that come back from the request to /security/token. If you can post that here (scrub out any tokens or credentials), then I can probably tell you what your merge value needs to be. Also, it’s important what your service is expecting in terms of the token. A lot of times it’s a header called “Authorization” and then the value would be "Bearer {{$Auth.Response.Body.access_token}}. But this really varies from service to service. Is your service a public one that I could take a look at the documentation?

Thanks. Here is the API documentation: Orion Advisor Services · GitHub

Hi Raymond,

I looked through the documentation, but couldn’t find anything about the /security/token endpoint. Usually there’s a section of the documentation that talks about how to authenticate.

Thanks Ben, these are the header requirements: This goes in an ‘Authorization’ header: ‘Basic ‘+EncodingUtil.base64Encode(Blob.valueOf(userName+’:’+password)) Any help of how I would formulate that would be greatly appreciated.

Oh, that’s just basic http auth. We have that built in! Just use the basic http auth setting and enter your shared username and password. Per user credential storage is coming in an upcoming release.

Thanks Ben, but when I use the basic setting, then I go to the page I am trying to build, on page load of the page builder, I get this error message: . “Error retrieving metadata for Model(s) associated with Data Source ‘OrionConnect’. Please check Models’ properties to ensure they are set correctly. Error connecting to REST Data Source at URL “https://api.orionadvisor.com/api/v1/portfolio/accounts”: Unauthorized”. That is why I switched to the separate auth URL setting. When on this setting, I don’t get the error message. I also don’t get any data, so maybe it is the same thing…

Do you know what version of Skuid you have installed?

7.27

Hmm, that’s strange. It seems like it should be working unless your username and password are somehow wrong.

Yes, strange. I have checked it many times. I can use the same credentials to log in directly to their application and into their API tester and both work fine.

Could you show me how I would create the basic header and I can try using the Separate Auth URL setting?

Hey Raymond,

Based on the sample code in the GitHub repro, it looks like you must first connect to security/token using Basic authentication (putting the username and password in the Authorization header). The response you get back will be a JSON object with a property named access_token.

You would then include the access token in your API calls in the Authorization header, using something like “Session ”.

To support this with Skuid, select the separate authentication URL option. (https://api.orionadvisor.com/api/v1/security/token)

In the headers to send with the auth request, add the Authorization header with a value of “Basic {{$Auth.BasicAuth}}”.

Then, in your headers to send with every request, include an Authorization header with the value “Session {{$Auth.Response.Body.access_token}}”.

If my reading of the sample code for this project is correct, then the above should work for you. But you’ll need to check with the REST API developer/owner, since I could not find any documentation to back this up.

Thanks for the help on this. When setting up the headers, there is a “field” and a “value” . What should I be entering as “field”?

Assuming I understand the REST service correctly: Field = “Authorization”, Value = “Session {{$Auth.Body.access_token}}”

That is what I assumed. No luck. I thank you for your help. I’ll have to go to the developer. I doubt I will get their attention before January. I’ll post back here if I get this resolved. One last question. Is there a way to see what the actual get request Skuid is sending looks like? Happy Holidays!