REST API Authentication Header

Ramesh_Sundaresan
Ramesh_Sundaresan E
in API, SDK, REST and Web Services #1

Hello,

I am trying to use the ticket returned by the authenticate REST API call to my subsequent POST call for creating a node (folder) . What should be the token/parameter name to send this ticket along in my second call? I am using Postman client for now against a CS 20.3 CE version. I see references to this parameter being different in other examples including "OTCSTicket", "otcsticket", "OTCSTICKET" etc. but none of these seem to work and I always get back a 401 unauthorized response. Any pointers would be helpful.

Thank you.

Comments

  • Appu Nair
    Appu Nair Member
    #2

    Quick question in Postman you are putting otcsticket would you just turn it into the code section and check if it looks like this under the HTTP section

    Try with a GET changing it to a valid node

    http://myserver/otcs/cs.exe/api/v1/nodes/22232

    GET /otcs/cs.exe/api/v1/nodes/22232 HTTP/1.1

    Host: myserver

    otcsticket: 4b+hB0/14O1oXcd0xpNv7nxtLAKlCVsgXZStJabb0au33YlLF7PqxV1zoYCCe7LI+NP2GyvKjL0bsJ7w2u/uLEr3vMRm6RQq

    that was a GET if you see a form or anything just remove everything as postman sometimes adds stuff you do not want

    you could also get wrong if the API doesn't reveal the user from the ticket like when you got the auth you got a ticket from say one of 3 servers that is a reverse proxy/LB setup so your auth token actually came from Server1, but your folder create is actually going to Server3.In one of my earlier post where I showed you https://forums.opentext.com/forums/developer/discussion/302784/adding-classification-to-a-document-using-rest-api#latest

    I seemed to have mentioned I use OTDSticket , it has more information than the otcsticket has so it aids in negotiating redirects etc....

    (BTW: My theory as I found that in my many debugging cases)

    If you are on the Livelink server and if you issue

    http://localhost/otcs/cs.exe/api/v1/auth and turn around and then use that ticket into an FQDN like http://myserver/otcs/cs.exe/api/v1/nodes/22232

    you will get 401. These are basically LLCookie and it does issues based on the server :).There are a bunch of rules in Livelink that say how should a LLCookie be generated and so on.

  • Appu Nair
    Appu Nair Member
    #3

    One other aspect is for debugging easily OT allows Basic Authentication so if you hardcode username/password in REST API calls you won't need the ticket. If that works and if tickets don't work then that tells you your ID is not revealed in the ticket. Note OT provides that only to help in developing not a standard for production-worthy code https://forums.opentext.com/forums/developer/discussion/comment/932936#Comment_932936

    In a java client that will go as a Base64 encoded string :)

  • Matthew_Pinkney
    Matthew_Pinkney E Member
    edited February 16, 2021 #4

    Hello Ramesh,

    You mentioned header in the title but I wanted to make sure you were using the header tab in postman and not a body or parameters section. That could explain your issue. Also check to see what your authorization tab is set to. For my use I have authorization set to "no auth" and added a key=OTCSTicket in the headers tab with a value of the token.

  • Ramesh_Sundaresan
    Ramesh_Sundaresan E
    #5

    Hello Matthew, Appu,

    Thank you for responding. I am in fact using the header tab with "OTCSTicket" as the key name. I finally got this working. What I found out was that when the ticket returned by the "auth" call contains a forward slash ("/") as part of the value, the ARC client escapes it with a back slash ("\") automatically in the response. Once I unescape this and cleaned up the ticket value, I am able to use it in my subsequent call. The Postman client does not seem to do this and shows the value as is.

    So I am assuming OTCSTicket is the correct key name to use then? Or does the API calls support other combinations of this key as well (like "otcsticket", "OTCSTICKET" etc.)?

  • Appu Nair
    Appu Nair Member
    #6
    @Ramesh_Sundaresan that is good to know I think when you pass in OTDS ticket you are spared all those problems . OT has a KB that I saw saying they prefer that in lieu of otcsticket .

    OTDSTICKET it is not case sensitive I think
  • Ferdinand Prantl
    Ferdinand Prantl E Community Moderator
    #7

    HTTP header names are case-insensitive. You can write OTCSTicket as you wish.

    Mind that using OTDSTicket will cost you one hop CS->OTDS to get it validated. OTDSTicket is usualy used only for the very first REST call to CS. The response of every REST call contains OTCSTicket, which the application usually remembers and uses for the next call and repeats this pattern so that the ticket does not expire, as long as the communication continues.

Categories

image
OpenText CE Products
Extended ECM
Docs & APIs