Is there a REST equivalent of WS Impersonate User

HF_PSPC · 2022-04-21T19:38:45+00:00

There was an error rendering this rich post.

Hi,

I'm reviewing the REST API to help a client convert their application to use REST. One big gaping hole is that there doesn't seem to be any way to impersonate a user. Currently, they have a web based application where the user authenticates elsewhere, and a service account proxies all requests to Content Server via the SOAP API. The application never hangs on to the user's credentials, so is only passing their email address as the user account to impersonate. This doesn't seem to exist in the REST API. I think they theoretically could do this using the OTDS REST API but I'm not 100% sure. A client application ideally should only have to talk to one API when dealing with Content Server though.

-Hugh

Find more posts tagged with

Comments

Appu Nair

Hugh,
All API’s allow a big user to impersonate a small user that is the CS way . In case of REST if you need to perform a document management function your call should contain a header typically one uses a OTCSTicket or OTDSTicket how you generate that is probably what you need to do in REST. So if you like using the CS Endpoint for auth you have many calls including one that gives you a impersonated token in one shot . In what I maintain for our company and what I do is I interact with otds for the administrative ticket and the impersonated ticket and I call CS using soap or rest as the case maybe . All the ticket obtaining code is against the rest api of otds . You may have to find the OTDS user for the email so you can locate the record unless ot allows email to be used in lieu of name , but I am thinking a webreport fake restendpoint can come to your rescue there😃

BTW there is even a video describing how to convert a oauth token to a CS token in the KB if you even wanted to go the OAUTH route

Appu Nair

BTW every rest successfull call returns a new token you are supposed to hang on to that for the next call although if your email users change by the second you have to handle that

Greg Griffiths

you can use the following KB - https://knowledge.opentext.com/knowledge/llisapi.dll/kcs/kbarticle/view/KB8295770

HF_PSPC

Read the KB article. This info should be added to the API documentation. But yes, it works exactly as it should.

-Hugh

Appu Nair

make sure you do not put this on the view source of a webpage

BTW you can use any SysAdmin to do this not just the 'Admin' user

Hans Stoop

I think there is still a limitation if you use security clearance or supplemental markings and also apply that to system administrators.

Hans

Tim Jian

Following Appu Nair instructions above, got error below:

HTTP/1.1 401

{"Error": "Could not impersonate user 'testUser1'"}

I am using CS 23.1 with build in Admin user and password

Greg Griffiths

you should be able to see more about why, was the user you were trying to impersonate a normal user or did they have SysAdmin etc ?

Tim Jian

https://forums.opentext.com/forums/developer/discussion/comment/967506#Comment_967506

It works. It was a user error.

One thing I want to add here is that it seems only one step needed to impersonate a user. There is no need for header parameter.