Authentication Callback in JS for Model Services

  • 2
  • Idea
  • Updated 2 years ago
I'm trying to create a Model Service that connects to our internal API's, in order to connect to our api's we'd need to use our authentication method, (which we cannot yet do until "ModelServiceAuthProvider" becomes available). Might I suggest an alternate route: create a custom authentication javascript callback. Meaning, in order to authenticate a javascript method would be called to get the authentication headers and pass that to skuid to make the service call.
Photo of Mordechai

Mordechai

  • 968 Points 500 badge 2x thumb

Posted 3 years ago

  • 2
Photo of Zach McElrath

Zach McElrath, Employee

  • 49,056 Points 20k badge 2x thumb
Mordechai,

Can you describe your authentication process? You may be able to use the "Separate Authentication URL" option for Model Service Authentication that we already to achieve what you're after. Basically the idea is that you do an initial request to authenticate to an "Authentication URL", passing in for example a username and password or other information that would authenticate you to your internal authentication API's. And your internal authentication API would return back an "access token" that you could then pass along as a header or body parameter with all subsequent requests to data API's for your Model Service. 
Photo of Mordechai

Mordechai

  • 968 Points 500 badge 2x thumb
Zach,
The way our authentication mechanism works is there's a public/private key pair that are used to sign each request before sending. We do not need to request a session / bearer token with credentials. - The signing of the url would happen in apex.
Photo of Zach McElrath

Zach McElrath, Employee

  • 49,056 Points 20k badge 2x thumb
Hmm. In that case, you're probably going to have to setup your own Apex REST endpoint that functions as a proxy to your external services, which would sign all requests and then proxy them along. Then you would add a Skuid Model Service that calls your own Salesforce org as its Service URL / Endpoint.

I'm not sure how much freedom you have to change your internal API's, but an alternative might be to use a Mutual SSL approach, which Skuid supports as of Banzai Update 7, where you specify a Client Certificate which Skuid would present with all requests to your internal API, which your internal API's could use to positively, uniquely identify the sender. Just another idea.

As far as Skuid supporting a native capability here, I think we'd have to expose the ModelServiceAuthProvider interface and you'd have to write Apex in order for this to be possible securely -- I don't think a JS-only based approach would suffice here due to the inability to protect the keys being used to sign the requests. That would be an ideal Apex level functionality. 
Photo of Mordechai

Mordechai

  • 968 Points 500 badge 2x thumb
Zach,
Honestly, I was hoping to use the ModelServiceAuthProvider interface but it is not yet available.

I was hoping to not have to make an apex class to make the requests.

Thanks
(Edited)
Photo of Mordechai

Mordechai

  • 968 Points 500 badge 2x thumb
Zach, is there any update as to expected release date for this?

Another point, the idea of using a JS-based approach was that the JS would make a call to apex to sign the request and return the signature. the signature would be unique to that request.

Thanks again,