Anonymous Rest Call via ticket or token

All of our Rest API calls have been for Content Server users so it has been easy to authenticate them via OTCSTicket within a WR.
We now have a Use Case where we would like to make a REST API call against our Content Server from non Content Server user on our intranet portal. I would like to use a ticket or token with very limited scope and little to no access to achieve this. In one of my previous questions regarding initiating Workflow from REST, Clarkebar2 said:

"Get the ticket from OTDS (notice that OTDS uses application/json unlike OTCS that uses forms for everything).

Anyway, get the ticket from OTDS, then go to OTCS and use the ticket to start your workflow."
I think this is similar to what I am talking about, but need some advice because of the security issues. I can implement additional reCaptcha V2 on the client making the call for spam and abuse.

Cheers,

Ed

Find more posts tagged with

Comments

Appu Nair

What pray is the security issue ? Care to elaborate? I think CS will only allow a user who can hit a node OTDS seamlessly says I think here is a token for UserX do what you need with it BTW this token will be valid for X hrs:minutes . The application a.k.a resource examines the token crunches it and derives a UserX. It checks if UserX has login enabled and what all privileges , at the tail end it tries to hit what was asked a folder document etc . If UserX has no business on the node it is rejected .can you allow a non KUAF user into CS technically yes but you probably will violate your license agreement ...

I have written code that integrates third party systems I obtain a token for the user and allow the user in ...

I have used java code to first go to otds and then call SmartUI with that token so I am not sure the json payload format is that difficult to manipulate...

BTW I am not even sure if you have a WR sitting inside CS it doesn’t need to be re-authenticated as the WR is actually a authenticated object inside CS

Ed Davis

The scenario would be an extension of a previous post regarding initiating a Workflow with REST which works fine. Internally on our intranet, I have defined a proxy user in the non-synced partition in OTDS with very little access e.g. No Public, No Personal Workspace, No Expiry, any access I could strip from the user. There are some breadcrumb menu items that remain and I have to give that user access to the Workflow and permissions to add attachments. This is OK because the actual User is authenticated on our internal network via LDAP/AD. So currently, the User fills the javascript/jquery Form, uses a <input> type:file to attach a supporting document and then I call the cascading AJAX REST via draftprocesses and node calls to setup the WF, upload the file set attributes from the form info and fire the WF. I would like to extend this Use Case to public access and was hoping there was a way to dispense with the proxy user and the base64 BASIC AUTH with the username:password combo with a token that would be able to access the REST API endpoints and do the same.

Ref: Initiate Workflow from REST — OpenText - Forums

Ed

Pramod Mohandas

Keeping the business requirement aside, by trying to achieve this, you might also want to ensure that you do not end up in a legal predicament with OpenText without their written permission of being able to use a single proxy user for, let's say, 1000 users, across your organization.

By developing such a solution, you are essentially bypassing the limited number of user licenses that has been allocated to you, or the client, by OpenText and if OpenText finds that something isn't right, they have the complete authority to take legal actions against the client and fine them.

Thus, you may want to think about the legal repercussions that might accompany your solution once it is developed and deployed. To work this the right way, OpenText should be able to provide you with a list of licensing options that is apt for such situations.

That being said, if you are planning on using a single technical user to initiate workflows, wouldn't it suffice if you passed in the technical user's credentials to Content Server's REST API (/auth) and used it to initiate your workflow?