First REST Operation - Custom Header

Question

Question

Scott Roth · Apr 21, 2021

I have a vendor that is sending an HL7 message. But when I asked for more detail about their mapping tables, they told me they typically don't supply that but supply an API for customers to call so they don't have to define tables and it is more dynamic.

So with that being said I am creating my first REST operation. I understand the gist of how a REST operation works in working with other types out Non HL7 Operations (SOAP, SQL) before. You send a request and get a response back, that part I understand.

What I am not comprehending is how secure it can be if they only give you an ID, and a Secret pass code to work with.

How secure is it if they are not requiring a Certificate, or Credentials?

I have created a simple client TLS configuration for this Operation, I am just not sure how secure it is, and how to send a custom header within the call.

If the ID and Secret pass code has to be sent in the header, how does one create a Custom Header for authentication with the API?

This is what I have to pass to them for Authentication...

{
"Key" : "xxxxxxxxxxxxxxxxxxxxxxxx",
"Id": "xxxxx",
"Secret": "xxxxx",
"Resource": "xxxxx",
"Instance" : "xxxxx"
}

Forgive me but I am just not finding the right documentation to point me in the direction I am looking for.

Product version: Ensemble 2018.1

$ZV: Cache for UNIX (IBM AIX for System Power System-64) 2018.1.3 (Build 414U) Mon Oct 28 2019 11:24:02 EDT

Discussion (14)2

Log in or sign up to continue

Marc Mundt · Apr 26, 2021

You can definitely do the OAuth requests using basic HTTP calls.

Doing it in OnInit won't work because the token you receive has an expiration time.

You'll need to:
- For every message your Operation receives you'll need to check if the cached token's expiration time has passed (or if there's no cached token).
- If you need a new token, do your POST call to get a new token and cache it.

0 0

score 0 · Answer 1 · 2021-04-22T08:29:22-04:00

Eduard Lebedyuk · Apr 22, 2021

Does it work over https?

0 0

score 0 · Answer 2 · 2021-04-22T09:27:10-04:00

I haven't tried even building it yet to be sure. But it does need to be sent via HTTPS. How would I create a custom header for this?

score 0 · Answer 3 · 2021-04-22T10:16:07-04:00

Eduard Lebedyuk · Apr 22, 2021

Do you want to send a custom header with your HTTP request?

0 0

score 0 · Answer 4 · 2021-04-22T10:52:01-04:00

Do you really have to for authentication purposes? I think what I want to do is the following...

https://docs.intersystems.com/healthconnect20191/csp/docbook/Doc.View.cl...

Is there any examples out there for this? How can this be done?

score 0 · Answer 5 · 2021-04-22T13:04:22-04:00

In your REST operation you can just do this. In this case the header name is "Authorization" but you can change it to whatever is required.

s tSC=pRequest.HTTPHeaders.SetAt(tAuthInfo,"Authorization")

score 0 · Answer 6 · 2021-04-22T13:19:52-04:00

So I re-read the vendor's documentation. They are using Oauth, and passing back a Token to use when sending Requests. Can I build Oauth into the Operation? If so does anyone have examples of doing this?

score 0 · Answer 7 · 2021-04-22T13:45:30-04:00

This snippet uses the built-in OAuth client to request a token and then add it to the HTTP header.

You'll need to configure an entry for the OAuth server with a sub-entry for this specific client:
https://docs.intersystems.com/healthconnectlatest/csp/docbook/Doc.View.c...

In the case of the sample code below, the client I configured is named TestClientA.

    set isAuth=##class(%SYS.OAuth2.AccessToken).IsAuthorized("TestClientA",,"*",.accessToken,.idtoken,.responseProperties,.error)

    $$$TRACE("isAuth:"_isAuth)

    if 'isAuth {
        set tSC=##class(%SYS.OAuth2.Authorization).GetAccessTokenClient("TestClientA", "*",, .error)        
        set isAuth=##class(%SYS.OAuth2.AccessToken).IsAuthorized("TestClientA",,"*",.accessToken,.idtoken,.responseProperties,.error)

        $$$TRACE("isAuth2:"_isAuth)
        
        if 'isAuth {
            quit $$$ERROR(5001,"Problem authenticating")
        }
    }

    $$$TRACE("access_token: "_accessToken)
    $$$TRACE("expires_in: "_responseProperties("expires_in"))
    $$$TRACE("scope: "_responseProperties("scope"))
    $$$TRACE("token_type: "_responseProperties("token_type"))
    
    s tSC=pRequest.HTTPHeaders.SetAt("Bearer "_accessToken,"Authorization")

score 0 · Answer 8 · 2021-04-22T14:11:37-04:00

When I attempt to "Discover and Save", I get....ERROR #6059: Unable to open TCP/IP socket to server localhost:80. But I do not want it to go out port 80.

score 0 · Answer 9 · 2021-04-22T14:31:43-04:00

I think for Issuer endpoint you need to include the protocol:

https://api.veritystream.cloud/services/oauth

score 0 · Answer 10 · 2021-04-22T14:46:39-04:00

Here's a cheat sheet I put together on creating an OAuth client definition:

Go to System Administration >> Security >> OAuth 2.0 >> Client

Choose “Create Server Description”

Enter the endpoint URL provided for the OAuth server and select the TLS config you created for the OAuth server. Click “Discover and Save”. It should populate details about the OAuth server.

After saving, a new server entry will appear. Click “Client Configurations” and then “Create Client Configuration”

Enter the name details, select the TLS config, and choose Client Credentials as the grant type. The redirect URL won’t actually be used, but you’ll need to enter something for hostname anyway.

Keep track of what you enter for “Application Name”. You’ll need to put this in your custom code.

Switch to the “Client Credentials” tab and enter the Client ID and Client Secret you were given.

score 0 · Answer 11 · 2021-04-23T15:01:57-04:00

Where would I put the Key that they gave me?

{
"Key" : "xxxxxxxxxxxxxxxxxxxxxxxx",
"Id": "xxxxx",
"Secret": "xxxxx",
"Resource": "xxxxx",
"Instance" : "xxxxx"
}

score 0 · Answer 12 · 2021-04-23T15:22:04-04:00

You'll probably want to check with the vendor to confirm where they expect to see it. One possibility is to pass it to GetAccessTokenClient as a property.

https://docs.intersystems.com/irisforhealthlatest/csp/docbook/Doc.View.c...

Also, this sample assumes that they're using the client credentials grant type. This is the most likely option, but it would be worth confirming.

score 0 · Answer 13 · 2021-04-23T15:48:30-04:00

Does this make sense.. What if I didn't use the %SYS.OAuth2 library and just treat it as another POST object that I put in my Operation as OnInit()? Do you think that would work?