Skip to main content
I
iguerra16-Pearl
16-Pearl
January 26, 2021
Question

Open a mashup with appkey

  • January 26, 2021
  • 2 replies
  • 3714 views

I need to create a url link (to be send by email) to open a specific mashup without requiring the user to authenticate to the platform.

I can do that by using an appkey linked to a specific user, this is possible using this method

https://www.ptc.com/en/support/article/CS227935

that is however deprecated for security, in fact the appkey as url parameter feature is not enabled by default.

If I need to do that, I have to enable "Allow Application key as URL Parameter" feature for all the platform (opening to some possible hacks)

 

Is there a way to allow just a specific mashup to use this method ?

(and keep  Allow Application key as URL Parameter to false ?)

 

2 replies

J
Jimwang16-Pearl
16-Pearl
January 27, 2021

@iguerra

 

To use the feature, you have to keep  Allow Application key as URL Parameter to true.

As the article mentioned, for security reasons, associate specific user with specific appKey, granting the user permissions for the specific services and mashups only.

A
anarwal5-Regular Member
5-Regular Member
January 27, 2021

It's not a good idea to expose the appkey in the url parameters because it can be exploit easily

I
iguerra16-PearlAuthor
16-Pearl
January 27, 2021

Yes .. I wouldn't enable this flag if possible ...

 

I see that the "reset password" feature uses a similar method

it creates a temporary appkey, and the link sent by email redirect to a mashup to set new password (with the appkey as parameter !) 

but this is not a standard mashup ... it is in a different path (/formlogin/reset...), it is a system mashup outside the "composer" management, and as you can understand it works even id the "use appkey as parameter" flag is OFF, it has a different management.

Are there other possibilities ?

Can those "system mashups" be created with an extension ?

 

 

 

V
VladimirRosu_3635871-Visitor
1-Visitor
January 28, 2021

Even if I know the usecase seems solid - open mashup without logging in, the current soft "deadlock" (the deprecation of the AllowAppKeyAsURLParameter) does not make this a very feasible option long term.

I would suggest explaining to your customer/usecase owner that you really need to log in if you want to access the application. Usually in an enterprise this is a bit easier if they setup ThingWorx with SSO - they can login once. Again, maybe this won't work for reasons I'm not aware, but it is what it is.

 

If that's no go, another option is to enable that checkbox, and engage in discussion with your relevant PTC counterpart (through your Partner Manager/Customer Success Manager) to see how PTC will tackle that issue on long term, that is, what capability will they offer to support accessing mashups without logging in.

Terms & ConditionsAccessibility statement