Question

How get AD User for Login and how to pass Authentification Cookie for Basic Auth (REST Call)

-1

Hello, Wer are using Basic Authentification for REST Calls in our COMOS Software. Therefore, bevor a Call to our REST API, we have to call a login function which needs username and passwort 1. How can I get the Windows Active Directory Username and Passwort and pass it to the REST Call? The browser can somehow retrieve it In Mendix, can it be only hardcoded? Or can I get the information somewhere from a variable? 2. How can I pass data from the authentification cookie to the actual REST API function? It has to be in the HTTP Header as “Authentification” It was set in the Login function but I do not know how I can get the header which was returned. In Postman it would look like follows (Key ‚Authorization‘):

asked 2020-10-02

Raimund Neumüller

8 answers

Thilo Boehm · Answer 1 · 2020-10-02

Hello Raimund,

1. You can create the content of the Authorization header on your own and set it via a Custom header. There you can use variables.

The content is just “Basic “ + “Username:Password” as Base64 (available in Community Commons module in the AppStore)

2. You can get the Cookie via the HttpHeaders in the response object. Then you have iterate over this list.

Described here: https://forum.mendix.com/link/questions/98649

Regards

Thilo

Thilo Boehm · Answer 2 · 2020-10-05

Hello Raimund,

as far as I understand it, these are two different things:

1. API Authentification and API usage

This should be possible, as far as I understand your explanations and the documentation (that I found).

First you need to login with basic auth (as described in my first answer).

In the response of this request, you receive a session ID, that you need to store and pass it to the server in further calls (easiest via header COMOS-API-Session).

There shouldn’t be a need to read out the Authorization header for this.

2. Username & Password

For my solution you would need to implement a Username/Password dialog in your Mendix app (I would not call this hardcoded)

To use the logged-in user from Active Directory you need to implement a SSO solution. But this has to be supported from the API server. Does COMOS support some kind of SSO?

Regards

Thilo

Raimund Neumüller · Answer 3 · 2020-10-08

Hello Thilo,

in our Comos Web application, I never have to log in, it just takes the Windows AD user.

The app shows (see screenshot) the information ‘DOMAIN’ \ ‘USERNAME’ (Windows User).

Would this be possible with Mendix?
I m not so familiar what OpenID, OAuth2, SAML means, but it seems there I have to log in somewhere else (like e.g. at Siemens with the PKI Login).
So I m a bit confused why I have to use SSO here.

Because the web browser somehow knows my windows login, right?

Regards,

Raimund

Jakob Schillinger · Answer 4 · 2020-10-08

Hi Raimund, Thilo asked me to chime into the discussion. Are you trying to achieve login for users in the Siemens domain or users in general environments?

Raimund Neumüller · Answer 5 · 2020-10-05

Hello Thilo,
thank you for your response.

I tried the way which is described in the link in 2.

But somehow the “Authentification” item is not in the HTTP Header as expected.

Concerning point 1:

How to find out username and password?
It should not be required to hardcode it in configuration, but it should be determined automatically.
Same as the browser like Chrome knows which user is logged in in Active Directory, this user data should be forwarded to the application then.
Is this also provided by the “Community Commons module”?
Or is there only the string function for Base64?

Additionally, I show you what the header looks like in Postman (Picture 1).

And, compared to this, in Mendix there are only 4 entries in the HTTP header response (Picture 3):
Content-Type, X-Frame-Options, Date, Content-Length
But no authorization (so maybe its only possible if I create this value myself in Mendix environment?)

Pic 1: Postman

Pic 2: Postman Authorization value

Pic 3: Mendix variables (Debug after calling Login)

Pic 4: Mendix Debug (Overview)

Raimund Neumüller · Answer 6 · 2020-10-07

Hello Thilo,

1. API Authentification and API usage

You were right, there was no need to read the HTTP Header.
I used Base64 encode of ‘Username:Password’ as you proposed. So, in the REST API Call, I pass in the header the Session Id which was returned from the login function (stored in $LoginResponse), and the Authorization value (Base 64).

Raimund Neumüller · Answer 7 · 2020-10-08

Hello again,

as the first one is solved, to my second question:

2. Username & Password
I asked the COMOS product management and I got the following answer:
“You need either Windows authentification, an active directory, or an OpenID/OAuth/SAML Identity provider. Depends what is offered by Mendix”.
So what would be the best way to implement windows authentification?
Like in the browser when I call ‘Comos Web’ (our existing application), there the windows user is simply forwarded to the app.
And can I retrieve the username & password, because I need it for Step 1 (Base64 string for authentification in REST API).

Kind regards,

Raimund

Thilo Boehm · Answer 8 · 2020-10-08

To the second question about SSO:

Mendix supports all the commonly used SSO implementations including OpenID, OAuth2, SAML.

In an SSO scenario you will never retrieve the password of the user directly. So there will be no way to just “pass” the password to your app.

The workflow typically works like this (simplified):

Your app forwards the user to the SSO system
The user will be authenticated by the SSO system
The SSO system redirects the user back to you app, including a valid token or session id
Then you app can use this token/session

This all depends heavily on the SSO provider.

You can have a look at the Siemens Starter App where SSO with myID is implemented.

Regards

Thilo