Accessing API When OTCS is Using Single Sign On

Keith Frazier

Hello,

I'm looking to utilize the OTCS API; however, we are using OAuth 2.0 in production. In the development server, which uses basic authentication, I was able to pass the username and password to the api/v1/auth end point and receive an OTCS ticket that I can then pass to all future API requests. No issues there.

How can I get an OTCS ticket when using OAuth 2.0? OTCS is registered as an app in the azure environment and I am able to pass the client_id, client_secret, scope, and grant_type to the https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token to receive a bearer token. I'm not sure how to pass this bearer token to OTCS in postman. It doesn't appear the api/v1/auth endpoint can accept the bearer token. I may be on the wrong track completely...

I am very new to all this so please bear with me - I may have some of the terminology confused. Any help you could provide would be greatly appreciated.

Ferdinand Prantl

I hope that somebody else will chime in, because I did not use this exact scenario myself.

OAuth is provided by OTDS, not CS. When you have the OAuth authentication token, you can use it to connect to the OTDS REST API and have it generate an OTDSTicket, which will be accepted by CS and can be exchanged to OTCSTicket by the very first call to the CS REST API.

I used OTDS REST API to get a ticket for CS + impersonation:

POST /otdsws/rest/authentication/resource/ticketforuser
{
  targetResourceId: "42B810FA-6F36-64CA-58EC-70AE1EF050E0",
  userName: "myuser",
  ticket: "OTDS SSO ticket"
}

If you ignore the impersonation and use your token instead of my ticket, you will just need to find the proper resource path. I cannot find the OTDS REST API on developer.opentext.com any more.

Appu Nair

I use impersonation in another way. I have a superuser with whom I can get an OTDS ticket so that I can ask for the impersonated ticket in OTDS and I send this to show the page the user is requesting. This way I don't need to know the resource etc of CS.

I also have all of this working under the premise that the USER using my application and CS is the same user when it comes to the BDC. Here's what I do I posted on another page for OT experts to chime in but didn't get anywhere. https://forums.opentext.com/forums/support/discussion/301576/showing-a-content-server-page-in-a-custom-jsp#latest this way I am trying not to do any impersonation but get by the way smart works...basic Auth will work but then the server would need to authenticate your domain creds the base64 encoded way but in some OT Documentations, it is bound to be interpreted as going away.

Ferdinand Prantl

I found the OTDS REST API documentation for authentication. You must not search for "OTDS" to be able to find it :-)

If you struggle getting the CS Resource ID dynamically, here we are a couple of CS URLs from OTDSINTEGRATION, which need no authentication and return JSON output:

?func=otdsintegration.getloginurl
?func=otdsintegration.getresourceid
?func=otdsintegration.getserverurl

Another thing occurred to me: if you get the SSO token from the OTDS REST API instead of the resource-specific one, you will need no CS resource ID. That token works just once by default and you will have to save the OTCSTicket from the first CS response. But you should do it anyway for the optimal performance and to prevent user session exhaustion.

Keith Frazier

Thx for the feedback - still struggling a bit. So if I have a bearer token from azure that I just generated by sending a post to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token, how can i pass this to otdsws/api/rest/authentication to get an OTDS ticket?

Also, which endpoint would I use since it looks like there are a few.

Thx

Keith

Appu Nair

Does this article look like what you are intending to do ?https://knowledge.opentext.com/knowledge/cs.dll/kcs/kbarticle/view/KB4960782?_ga=2.197092972.1746603588.1628794004-525322949.1628794004

or this https://forums.opentext.com/forums/support/discussion/comment/910271#Comment_910271

search in the purely OTDS forum so you may get better hints...

Keith Frazier

Hi - sorry for delay, got a bit tied up.

This looks like what we have set up: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

So, I basically have this bearer token that I don't know what to do with. I'm trying to use postman to query the api. I understand that I probably need to get an otds ticket first but I just don't know what ticket to feed it to return the otds ticket.

I read an article about SAML assertion, not sure where to find that. I don't think I have access to Opentext debug logs. This post and article seemed somewhat relevant https://forums.opentext.com/forums/developer/discussion/296840/is-there-some-way-to-handle-otds-authentication-with-api-rest-and-saml-assertion