Hi @CAPEGA,

Unfortunately, we will need some additional information here to assist you further.

Which host are you using, that is, are you using a Mac or Windows?

What is the endpoint you are trying to reach?

What have you tried?

Do you get any errors?

Are you using a proxy server?

cheers,

Stan

Hi @stan_koprowski,

Thanks you for your help. See below the answers to your questions:

url = "https://piserver123.example.com/piwebapi";
request = New HTTPRequest(
	URL( url ),
	Method( "Get" ),
	Query String( 
		[["selectedFields" => "Items"]]
	),
	Secure(0)
);

json = request << Send();
jsl_json = Parse JSON( json );

Hi @CAPEGA 

Thanks for the additional information.  While Kerberos is an option as you stated as a valid means to establishing authentication newer more modern options in my opinion that use SSL to authenticate are preferred and are often thought of as the "current standard".  With SSL you're asserting for yourself (via public/private key), whereas, in Kerberos, even with public key cryptography (PKC) for session keys, the server (3rd party) is still doing the confirmation for you.  Additionally, another benefit is SSL also encrypts the transfer of data.

While Kerberos is a valid way of establishing authentication I would recommend a different option. Based on what I read using the link provided previously there are some settings for the Pi Web API that would allow for bearer authentication using OpenID connect (OAuth 2.0 based).  The advantage here is that the you have one login for multiple sites.  The PI administrator would need to configure these changes.  This feature is available beginning with the PI Web API 2017 release.

Most of the documentation for OSI Pi is not accessible to the general public so I cannot create a specific example.  I'd be happy to work with you directly if you are so inclined.  Please send me a private message and we can connect if you would like to pursue this option.

However, here is an example of using OpenID to access your Google profile picture (if you have a Google account ). 

Names Default To Here( 1 );
 
/*
Note: the "code" parameter is set automatically after the redirect occurs
*/
auth_url = "https://accounts.google.com/o/oauth2/v2/auth";
token_url = "https://www.googleapis.com/oauth2/v4/token";
redirect_url = "http://localhost/myapp/";
client_id = "581786658708-elflankerquo1a6vsckabbhn25hclla0.apps.googleusercontent.com";
client_secret = "3f6NggMbPtrmIBpgx-MK2xXK";
scope = "openid profile";
auth_fields = [=> ];
token_fields = [=> ];
			 
oauth2 = New OAuth2();
oauth2 << Grant Type( "Authorization Code" );
oauth2 << Auth URL( auth_url );
oauth2 << Token URL( token_url );
oauth2 << Redirect URL( redirect_url );
			 
auth_fields["scope"] = scope;
auth_fields["client_id"] = client_id;
token_fields["client_secret"] = client_secret;
			 
oauth2 << Auth Fields( auth_fields );
oauth2 << Token Fields( token_fields );
			 
auth_header = oauth2 << Get Auth Header();
request = New HTTP Request( URL( "https://www.googleapis.com/oauth2/v3/userinfo" ), Headers( {auth_header} ), Method( "GET" ) );
data = request << Send;
If( !Is Empty( data ),
	json_jsl = Parse JSON( data );
	If( json_jsl << Contains( "picture" ),
		picture_url = json_jsl["picture"];
		New Window( "Example", Picture Box( Open( picture_url ) ) );
	,
		Show( data )
	);
);

 cheers,

Stan

Hi @stan_koprowski ,

Thanks for your suggestion, those mechanisms are maybe very common on the (public) internet but inside a company (private) network, it is not that obvious.  So to get back to the original question : is there an option of the JMP HTTP request object that will be compatible with the Windows authentication mechanism that is in place today with all our PI servers ?

Cheers,

Hi @CAPEGA,

I missed this one...Sorry for the long delay in responding to this post.

To use Kerberos to negotiate with http request you can use the following:

Password(":") 

// use webids for retrieving tags; get tag for particular webid 
	For( i = 1, i<=NItems(webids), i++,
		url_str = srvrname || "/streams/" || webids[i] || "/value";
		strms = New HTTP Request(
			 URL( url_str ),
				Method( "get" ),
				Headers( {"Accept: application/json"} ),
				Password(":") //for Kerberos authentication
		) << Send;

		dt_strms = json to data table( strms );
		//convert timestamp to JMP date format
		dt_strms << New Column( "Time",
		Numeric,
		Format( "y/m/d h:m:s", 22, 0 ),
		Input Format( "y/m/d h:m:s", 0 ),
		Formula(
				Try(
					delims = "-:TZ";
					rowWords = Words( :Timestamp, delims );
					{};
					YearChoice = 1;
					{};
					{};
					Date MDY( Num( Uppercase( rowWords[2] ) ), Num( rowWords[3] ), Num( rowWords[1] ) + 0 ) + Num( rowWords[6] )
					+Num( rowWords[5] ) * 60 + (Num( rowWords[4] ) + 0) * 3600 + If( Num( rowWords[4] ) < 12,
						0,
						0
					);
				)
			)
		);
		dt_strms = json to data table( strms, Invisible );  //hide table
		//concatenate into a single table
		If( i == 1, dt_tag_rslts = New Table( "Stream Results", Invisible );
		,
			dt_tag_rslts << Concatenate( Data Table( dt_strms), "Append to first table" );
			Close( dt_strms, "No Save" );
		);
	);

If you don't have to log into a realm then this:

//kerberos
url = "http://my_server_with_kerberos/some_endpoint";
request = New HTTP Request(
	Method("GET"),
	URL(url),
	Password(":")
);
request << Send;

Should do it. Note the Password(":");

If you do need to log into your company's realm, then something like this (this does a form-based login):

//login to company realm
url = "https://corporate_realm/login";

values = AssociativeArray();
values["IDToken1"] = "";
values["IDToken2"] = "";

request = New HTTP Request(
	Method("POST"),
	URL(url),
	QueryString([
		"realm" => "/my_realm"
	]),
	Form(Fields(values)),
);
request << Send;

can be used.

However logging into corporate realms is generally company specific.

@stan_koprowski thanks, this solved my problem as well.  I do have a follow-up question, though.

Why are so many things like this un-documented, such that they require forum searches to find the solution?  Especially in this case, where the solution was so incredibly simple:

Password(":") //for Kerberos authentication

This could easily be placed in the JMP Help under "Examples of HTTP Requests" and then people like myself and @CAPEGA wouldn't have to search discussion threads for the answer, and if it's not already there, attempt to ask very specific questions and wait for a response.

Furthermore, it doesn't seem helpful to suggest using completely different authentication methods on the server, when clearly the person asking the question is attempting to access the server himself, not configure a server for others to access, or have authority over what type of authentication is used.  In this instance it took multiple rounds of back-and-forth over multiple weeks before the very simple answer was provided.  I'm glad someone else went through all this so I didn't have to.

Just wanted to voice a wee bit of frustration here, that's all.  Appreciate the help.

Hi @Chris_Rodrigues,

Yes we can and should do better with our documentation. If you run across other examples that you feel are incomplete or could be more detailed please feel free to submit a ticket with technical support.

@sheila_loring can you have a look at this example to be sure this gets updated in a future release of the documentation.

cheers,

Stan