8.3 - vote for OAuth support for exposed REST services.

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
tford
Posts: 4238
Joined: Sat Mar 10, 2007 6:44 pm

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by tford »

Once again, support listens + delivers on a timely basis .. a formula that far too many organizations manage to not accomplish.

Keep up the great work, Vladimir!
Tom - V8.8 build 3137 - MySql / PostGres
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by ACDC »

Good news for those who need this feature. It WILL be included in the next version
This is excellent news, thank you support.

Any Idea when the next version is due for release? .

Would it not be possible to make this security feature available in an Update?
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by aware_support »

Code: Select all

1. All attributes values get exposed if we want to return object limited attributes only. This is major issue which has other problems if you have large business object.
Himanshu, why are you saying that? When you define REST properties of an exposed service you can exclude attributes from being encoded. Are you saying that this functionality doesn't work?
Aware IM Support Team
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by Jaymer »

aware_support wrote:

Code: Select all

1. All attributes values get exposed if we want to return object limited attributes only. This is major issue which has other problems if you have large business object.
Himanshu, why are you saying that? When you define REST properties of an exposed service you can exclude attributes from being encoded. Are you saying that this functionality doesn't work?
This is news to me.
Its been discussed this on the forum before and its always been the entire data structure that gets returned (unless you make a DTO as the main file).

I wrote here:
This underscores the need for ability to control which attributes are made available/sent/returned by the Service.
I guess we have to wait for Vlad to officially say how to do this - or if this will be a future enhancement.
(ex. If you only want to return a list of Customers (name, address, phone), you certainly don't want all OutgoingEmails being sent.)


Remember, Himanshu started his project before the conference - previous to v8.
Is this some new ability "to exclude attributes" since v7?
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
himanshu
Posts: 722
Joined: Thu Jun 19, 2008 6:24 am
Location: India
Contact:

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by himanshu »

Jaymer,

You are correct AwareIM support to define certain attributes which are required to be exposed. I had must missed this section :shock: .
REST service Settings
REST service Settings
aim_rest_2019-01-31_14-31-52.jpg (39.59 KiB) Viewed 11050 times
Today, I still used most of the API outside AwareIM which gives more flexibility and control, so that also may be reason it was skipped. But I will give a try on this sooner.

Thanks for catching me!
From,
Himanshu Jain


AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by aware_support »

Himanshu,

could you please explain the following items on your list of issues:

Code: Select all

3. All are GET API, POST API is recommended for sending data from client to server.
When you expose a REST service it supports both GET and POST. Why this comment?

Code: Select all

Not able to send credential data under using Authorization Header.
Why cannot you use credentials in a URL string or part of a JSON? Why do you specifically need a header?

Code: Select all

6. When there are multiple records and API request does not have any data, No way to define response.
Can you please explain this one in more detail? I don't understand what it is about.
Aware IM Support Team
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by aware_support »

Code: Select all

Multiple responses cannot be paged
Not true. The FIND action supports the LIMIT expression (see the Rule Language Guide). This should make it possible to extract only the specified page
Aware IM Support Team
himanshu
Posts: 722
Joined: Thu Jun 19, 2008 6:24 am
Location: India
Contact:

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by himanshu »

Hi Support,

Below are the points with my understanding

1. All attributes values get exposed if we want to return object limited attributes only. This is major issue which has other problems if you have large business object. [I might had missed something, Anyhow AwareIM supports exposing of objects thanks Jammer for correcting me. I am going to give a try.] WORKING

2. Multiple responses cannot be paged
- There are situation in my recent projects where we need to page the size of return records accordingly.
Not true. The FIND action supports the LIMIT expression (see the Rule Language Guide). This should make it possible to extract only the specified page
Here is the example
There are 100 products records and client request for first set of 10 records and after next set 11-20 and so on. Right now I cannot imagine if that will work.

3. All are GET API, POST API is recommended for sending data from client to server.
- I have tested GET method works fine but when I try to send data on the same API using POST method putting parameters under body it fails. "HTTP Status 500 – Internal Server Error"

4. Not able to send credential data under using Authorization Header.
- Sending data under Authorization header is a basic security advisory. Because Url parameters are exposed to public which is not recommended.

6. When there are multiple records and API request does not have any data, No way to define response.
Example I have multiple addresses and there is API which pulls the Address data as response object.
{address [address1, address2]}
Now, when FIND Addresses does not return any record API response is empty.

Since I was using 70% of my API outside AwareIM which has there adavantage and it looks like may be I had missed something on AwareIM in this area. Will sure going to do quick test to take more advantage of AwareIM REST service.

Please correct me if still wrong on any above points.
From,
Himanshu Jain


AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: 8.3 - vote for OAuth support for exposed REST services.

Post by aware_support »

Code: Select all

Here is the example
There are 100 products records and client request for first set of 10 records and after next set 11-20 and so on. Right now I cannot imagine if that will work.
It WILL work if you use the LIMIT keyword in the FIND action, for example
FIND Object WHERE ... LIMIT ParamObj.StartRange, ParamObj.RangeSpan

Code: Select all

when I try to send data on the same API using POST method putting parameters under body it fails. "HTTP Status 500 – Internal Server Error"
You shouldn't put parameters in the body. The body should have JSON or XML objects. If you use parameters only they should be in the URL (both for GET and POST). POST does work.

Code: Select all

 Sending data under Authorization header is a basic security advisory. Because Url parameters are exposed to public which is not recommended.
HTTP headers can also be exposed to the public, so there is no security advantage here. You can use JSON/XML objects to transfer credentials (along with other data) in the body of the request, if you do not want to use parameters.

Code: Select all

Now, when FIND Addresses does not return any record API response is empty.
So why is this a problem? The client can react to empty data appropriately.
Aware IM Support Team
Post Reply