OAuth2.0 with ZAUTHENTICATE routine and Rest service

Question

Question

George Hodder · Feb 2, 2018

Hi.. I have an issue where we are using OAuth2.0 with the ZAUTHENTICATE routine. Once our token is validated we are using a users lan id (passed on the ID token) to find a software defined username in a Cache Global.

That is all working fine in ZAUTHENTICATE.. I am setting the software defined username in the Properties("Comment") array and wanting to reference it in the Rest Service Dispatch class.

I am finding that Properties array is not resident in the dispatch class. It is my understanding that Properties is passed to ZAUTHENTICATE by reference, but how can I invoke the dispatch class in a way that includes the array? Is there setup that needs added in the portal for web application security?

Additionally I see that ZAUTHENTICATE quits with 1/0 for success/fail.. is there a way to return more specific messaging regarding the failure to the calling web application?

Thanks,

George

Discussion (6)0

Log in or sign up to continue

Robert Cemper · Feb 2, 2018

It would be easier to help you with the concrete call to ZAUTHENTICATE in hands.

In addition ZAUTHENTICATE.mac needs to be modeled by un-commenting lines.

Or do you use the pre-configured OAUTH2.AUTHENTICATE.mac

in both cases you need to have activated this line:

Set Properties("Comment")="....whatever you may pass along...."

according to your description this is done .

So the issue might result from the way the call is done
Comment in ZAUTHENICATE.mac Line 90 says:

Properties - Array of returned values, passed by reference

So your call should look like

Do ^ZAUTHENTICATE(ServiceName,Namespace,Username,Password,Credentials,.Properties)
#;--------------------------------------------------------------------^^^

It's the dot in front of variable name Properties that does the Pass by Reference and enables you to use the updated array after the call.

The dirty approach would be to name your array %myProp instead of Properties thus using a variable with public scope.

2 0

Robert Cemper · Feb 3, 2018

OK if this Is outside you control you NEED a dirty trick.

Just before after the last Set Properties(....) in ZAUTHENTICATE insert this line:

Kill %myProperties Merge %myProperties=Properties

to get a full copy of the array in %myProperties

1 0

score 0 · Answer 1 · 2018-02-03T08:29:03-05:00

Robert,

Thanks for the reply... ZAUTHENTICATE is invoked on it's own, and to my knowledge I don't have any control over the call. I have a web application setup with Delegated security. When the web server gets a request to a URL within that web app... ZAUTHENTICATE is simply invoked by the system. I am sure there is an actual call somewhere in the %SYS routines.. but I haven't looked for that yet, and probably shouldn't change anything if I find it.

I did set a value to the "Comment" node of the array.. but then in the REST Service dispatch class (the next class invoked) that array is not resident... or at least the value is no longer in comment. (since it is all web based I can't debug real time, I am capturing variable values to a scratch global)

I guess I can try setting the username etc. because the user name I get from the Token should be the same as the Cache username... and if that makes it to the dispatch class, I can lookup the software user name there

score 0 · Answer 2 · 2018-02-16T10:53:18-05:00

George Hodder · Feb 16, 2018

seems that simply referring to $username essentially works... thanks for all the input

0 0

score 0 · Answer 3 · 2018-02-06T07:15:00-05:00

Eduard.. I think this is closer to what we need. The challenge we have is this is a enterprise level legacy M system with it's own global for user security. So, I have noticed that it is setting up a delegated user of OAuth... and when I put something in the properties(comment) array it updates the comment for that delegated user.

I don't want to update the cache user with what is coming in... and it looks like OAuth will do that....

We have a web app through another technology where the user authenticates and gets their token from another systems server. Our server houses some REST services that the web app needs. So we simply need to validate the token (I have this working) and switch the users context to the access they should have within Cache (per our legacy systems security global).

The second part is the part that doesn't seem to "take" because when I get to the REST service dispatch class, I can't seem to reference the user account. Maybe there is an object or sys variable I can use that I am unaware of.. or maybe I need to update something in ZAUTHENTICATE to pass it along... this is where I am stuck.

Thanks,

score 0 · Answer 4 · 2018-02-03T12:45:00-05:00

Check this article on delegated authentication.

I am setting the software defined username in the Properties("Comment") array and wanting to reference it in the Rest Service Dispatch class.

Do you see delegated user getting created?

Properties("Comment") should be available as this user Comment property.

is there a way to return more specific messaging regarding the failure to the calling web application?

iirc both ZAUTHENTICATE main entry point and GetCredentials entry point return %Status so you can pass the error there.