cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ThingWorx Navigate is now Windchill Navigate Learn More

Translate the entire conversation x

looking for a way to authenticate a ThingWorx user through a REST API.

rkandasamy
7-Bedrock
7-Bedrock
‎Jan 19, 2017 07:08 AM
‎Jan 19, 2017 07:08 AM

looking for a way to authenticate a ThingWorx user through a REST API.

Hi Team,

I want to authenticate a thingworx user by passing the username and password  to an api . Is there any API in thingworx for the same, which results the authentication status?

Edited: Also is it possible to retrieve the password for any given user in thingworx?

0 Kudos
Notify Moderator
7 REPLIES 7
posipova
20-Turquoise
20-Turquoise
(To:rkandasamy)
‎Jan 19, 2017 10:35 AM
‎Jan 19, 2017 10:35 AM

Wouldn't be possible OOTB, you may look into custom authenticators.

Refer to this chapter for the information on authenticator sample extension configuration:

Digital Media Publisher

Notify Moderator
ttielebein
14-Alexandrite
14-Alexandrite
(To:rkandasamy)
‎Jan 19, 2017 01:12 PM
‎Jan 19, 2017 01:12 PM

Yeah, a custom authenticator would do it. Here is a KCS Article on the subject. The authenticate method would not need to be complicated, just something like:

  String username = httpRequest.getHeader("Username");

  String password =  httpRequest.getHeader("Password");

 

  if(username.isEmpty() || password.isEmpty())

     throw new AuthenticatorException("User login info is empty in CustomAuth");

  try {

       // Checks that user exists and is enabled; throws exception if can't validate

       AuthenticationUtilities.validateEnabledThingworxUser(username);

       // Tells rest of ThingWorx which user is logged in for purposes of permissions, etc.

      this.setCredentials(username);

  } catch(Exception e) {

        //TODO implement logging

  }

So if you sent a request with a header that contained Username and Password, just like how you include content-type, etc., then, this would log that user in if it could.

0 Kudos
Notify Moderator
jkaczynski
12-Amethyst
12-Amethyst
(To:rkandasamy)
‎Jan 19, 2017 02:37 PM
‎Jan 19, 2017 02:37 PM

Hello,

If you're using a REST API there is OOTB possibility to authenticate request with the Header, no need in preparing own, custom Authenticator.

You just need to pass a Header: Userid and Password.

Regards,

Jakub.

0 Kudos
Notify Moderator
Aanjan
12-Amethyst
12-Amethyst
(To:rkandasamy)
‎Jan 19, 2017 02:48 PM
‎Jan 19, 2017 02:48 PM

Rdhakrishnan, if you want to pass in your username and password, you can use something like this (with x-session for the session to persist)-

localhost/Thingworx/Things?userid=Administrator&password=admin&x-thingworx-session=true

With that being said, is there a specific reason why you would want to send your username/ password instead of using the appKey to authenticate?

Notify Moderator
rkandasamy
7-Bedrock
7-Bedrock
(To:Aanjan)
‎Jan 20, 2017 12:52 AM
‎Jan 20, 2017 12:52 AM

As per our use case, we share thingworx userid and password in an api. So this could be a verification call from their side to check if the received user id and password works or not. They need an api which will receive userid and password and return their authenticated status in Boolean value.

I hope above url will result in html page. Is there any api which would return the validation status in Boolean value?

0 Kudos
Notify Moderator
jkaczynski
12-Amethyst
12-Amethyst
(To:rkandasamy)
‎Jan 20, 2017 02:05 AM
‎Jan 20, 2017 02:05 AM

Hello Rdhakrishnan Kandasamy​,

Any REST call that goes to Thingworx will return the HTTP Status. If you succeed with authentication - 200. If not, 401 - Unauthorized. Then you need only to check the HTTP status.

The response format depends on the Accept header. You can use text/html to get the html page with additional information. Possible are also text/xml or application/json.

But please notice, that sending user credentials over HTTP(s) is not a best practice from the security point of view.

Regards,

J.

Notify Moderator
ttielebein
14-Alexandrite
14-Alexandrite
(To:rkandasamy)
‎Jan 24, 2017 04:47 PM
‎Jan 24, 2017 04:47 PM

If Aanjan's comment helped you,  you may want to consider marking it as correct to help other customers with their similar problems.

0 Kudos
Notify Moderator
Announcements


Contact Community Management
Top Tags