cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - When posting, your subject should be specific and summarize your question. Here are some additional tips on asking a great question. X

Authentication with User Credentials via Rest Api

drieder
15-Moonstone

Authentication with User Credentials via Rest Api

Hello Everyone,

 

I am developing an App with Ionic 3 and I would like to create a login Page in my App. The Login Page should take Username and Password and check whether these are valid credentials for a Thingworx User.

 

What would be the easiest way to achieve this via a rest call?

 

When you open the composer, a login prompt appears. It would be nice to simply use the service behind this login prompt (which also just takes username and password) in order to verify the user.

 

Any help is appreciated very much.

 

Best Regards,

Dominik

11 REPLIES 11
posipova
20-Turquoise
(To:drieder)
drieder
15-Moonstone
(To:posipova)

Hello @posipova,

 

thank you for your reply. Unfortunately this is not exactly what I was looking for.

 

I want the user to login into my app which has its own login "page". In this app I will make Rest Calls in order to retrieve Property Values of Things and in order to execute services. For these Rest Calls I want to use the User Credentials for Authentication (not the application Key as usual)

 

Because of that I simply want to check whether the given user with the given password is a legit Thingworx user.

On our Ionic Apps:

  • We use the Login/Password to get an appKey (automatically created upon request) and never store the Login/Password credentials on the device, just the temporal appKey "token"
  • After that we do the Rest API calls with the previous token/appKey

We have an old one done with Ionic 1 and the new one that we are developing with Ionic 4, here it's a sample of the API call in order to get the appKey:

 

 

login(username: string,password: string) {
	var apiURL:string = "/Thingworx/Things/wupAppAuthenticatorHelpers/Services/GetAppKey_wupAppAuthenticatorTS";
	var encodedData = window.btoa(username + ":" + password);	
	let headers = new HttpHeaders({
			    'Content-Type':  'application/json',
			    'Accept': 'application/json',
			    'Authorization': 'Basic '+encodedData,
			   	'Cache-Control': 'no-cache'
			  });

	let httpOptions = { headers: headers /*, withCredentials: true */ };

	var content = JSON.stringify({ "context": this.conf.getAppContext() });

	this.http.post<any>(apiURL, content,httpOptions)
		    .subscribe(
		    	res => {
			        this.handleLoginResult(res);
				    },
				err => {
					this.handleLoginError(err);
				}
		    );

  }

Where "wupAppAuthenticatorHelpers/Services/GetAppKey_wupAppAuthenticatorTS" it's a helper thing/service that generates the appKey.

 

Then the rest of calls should be something like:

let apiURL = "DesiredTWAPIEndPoint";
let headers = new HttpHeaders({
   'Content-Type': 'application/json', 
   'Accept': 'application/json',
    'x-thingworx-session': 'true', 
   'appKey': previouslyAppKeyReceived 
 });
let httpOptions = { headers: headers }; 
var content = JSON.stringify({ yourJsonContent }); 
this.http.post<any>(apiURL, content,httpOptions) .subscribe( 
    res => { this.handleResult(res); }, 
    err => { this.handleError(err); }
   );

 

 

 

drieder
15-Moonstone
(To:CarlesColl)

This looks like something I would like to achieve. Gonna try this out and let you know how it worked.

 

How long do you keep these AppKey Tokens on the Thingworx Platform? If you create an appKey for every Login Request you will have a lot of created app key after a while.

 

Are you deleting them manually or what do you do with these "expired" app Keys?

 

Best Regards,

Dominik

User experience on a Mobile App usually it's logon once and forget... That's the reason to use the appKeys

 

Of course you can track API usage by users and if they don't query anything for a month o similar you can automatically remove the appKeys (just add a Scheduler that once in a while does this check).

drieder
15-Moonstone
(To:CarlesColl)

"User experience on a Mobile App usually it's logon once and forget... That's the reason to use the appKeys"

 

Could you please explain that more detailed? I dont understand the "forget" part. 

Usually when you are on a mobile App the session "never" expires, that's way I say logon once and "forget"

drieder
15-Moonstone
(To:CarlesColl)

Alright I understand that. 

 

Could you also give me some hints how you wrote the AuthenticatorHelper?

 

How do you check whether a given User name and given Password are valid credentials? (and I guess only if they are the appkey is created)

The authentication it's done by ThingWorx you don't need to handle it, on the code attached on my first post there's the clue on that:

// -- here you "encode" de data to be sent as Basic Authentication
var encodedData = window.btoa(username + ":" + password);	

	let headers = new HttpHeaders({
			    'Content-Type':  'application/json',
			    'Accept': 'application/json',
// -- Here you pass the Basic Authentication data
			    'Authorization': 'Basic '+encodedData,

About the Application Key -> You have to create it with code when the user sucesfully logs in (it's what it does the AuthenticationHelper.

 

About the AuthenticationHelper --> It's a bit complicated, as per ensure security I've use Rest API calls on the same thingworxserver in order to "impersonate" de current user to a user which has Application Keys creation permissions (current users shoudn't have this kind of permissions).

drieder
15-Moonstone
(To:CarlesColl)

Thank you for your explanation, I think I understand now

slangley
23-Emerald II
(To:drieder)

Hi @drieder.

 

If one of the previous responses allowed you to solve your issue, please mark the appropriate one as the Accepted Solution for the benefit of others with the same issue.

 

Thank you for using our Community!

 

Regards.

 

--Sharon

Top Tags