cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JMP is taking Discovery online, April 16 and 18. Register today and join us for interactive sessions featuring popular presentation topics, networking, and discussions with the experts.
Choose Language Hide Translation Bar
CAPEGA
Level III

How do I use Kerberos authentication HTTP request

Hi,

 

Does anyone knows if Kerberos autehtication can be used with the HTTP request method from jmp? I have a API I would like to connect using this authentication method.  What are the different authentication methods that can be used? Is there any cURL object in JMP (https://curl.haxx.se/)? It would be nice if you could provide an example, if available. Thank you in advance.

 

Here is a sample of a request

request_headers = AssociativeArray();
request_headers["Authorization"] = "";//Kerberos example

request = New HTTP Request(
	URL( url ), // the restAPI endpoint
	Method( "Get" ),
	Headers(request_headers),
	Query String( // define key pairs
		[["count" => limit]] // JSL associative array
	)
);
11 REPLIES 11
CAPEGA
Level III

Re: How do I use Kerberos authentication HTTP request

Hi all,

 

For context, I am trying to connect to an OsiSoft server for which secure authentication is needed.

Just to update and clarify, I know the authentication method should be in the HTTP get method, however I am still missing how to specify the parameter for using other authentication methods. I understand that there is something similar to curl in the jmp http request method. Can anyone explain me how can we specify something similar for authentication as the following PHP code using curl? Thank you.

 

$url = "someurl.com";

    $ch = curl_init ( $url );  
     curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );  
    curl_setopt ( $ch, CURLOPT_SSL_VERIFYPEER, false );  
    curl_setopt($ch, CURLOPT_GSSAPI_DELEGATION, CURLGSSAPI_DELEGATION_FLAG);  
    curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);  
    curl_setopt($ch, CURLOPT_USERPWD, ":");  
     $result = curl_exec ( $ch );  
     $json_o = json_decode ( $result );
    var_dump($json_o);

stan_koprowski
Community Manager Community Manager

Re: How do I use Kerberos authentication HTTP request

Hi @CAPEGA,

Unfortunately, we will need some additional information here to assist you further.

 

Which host are you using, that is, are you using a Mac or Windows?

What is the endpoint you are trying to reach?

What have you tried?

Do you get any errors?

Are you using a proxy server?

 

cheers,

Stan

CAPEGA
Level III

Re: How do I use Kerberos authentication HTTP request

Hi @stan_koprowski,

Thanks you for your help. See below the answers to your questions:

 

> Which host are you using, that is, are you using a Mac or Windows?
 
The OsiSoft server running the PI Web API.
 
 
The server is running on Windows.

> What is the endpoint you are trying to reach?
 
Any endpoint of the OsiSoft Web API, the first one to try is:
 
 
> What have you tried?
 
Here a very reduced version of the code:
 
url = "https://piserver123.example.com/piwebapi";
request = New HTTPRequest(
	URL( url ),
	Method( "Get" ),
	Query String( 
		[["selectedFields" => "Items"]]
	),
	Secure(0)
);

json = request << Send();
jsl_json = Parse JSON( json );
 
> Do you get any errors?
 
The API returns "Authorization has been denied for this request.". In JMP the error is: "HTTP/1.1 401 Unauthorized"
 
Which is the expected answer if the identity of the user running the request is not correctly recognized.
 
So the "trick" is to understand how to activate the equivalent of the "--negotiate" option of cURL (see man page here https://curl.haxx.se/docs/manpage.html ).
 
> Are you using a proxy server?
 
No.
 
Thanks!

 

stan_koprowski
Community Manager Community Manager

Re: How do I use Kerberos authentication HTTP request

Hi @CAPEGA 

Thanks for the additional information.  While Kerberos is an option as you stated as a valid means to establishing authentication newer more modern options in my opinion that use SSL to authenticate are preferred and are often thought of as the "current standard".  With SSL you're asserting for yourself (via public/private key), whereas, in Kerberos, even with public key cryptography (PKC) for session keys, the server (3rd party) is still doing the confirmation for you.  Additionally, another benefit is SSL also encrypts the transfer of data.

 

While Kerberos is a valid way of establishing authentication I would recommend a different option. Based on what I read using the link provided previously there are some settings for the Pi Web API that would allow for bearer authentication using OpenID connect (OAuth 2.0 based).  The advantage here is that the you have one login for multiple sites.  The PI administrator would need to configure these changes.  This feature is available beginning with the PI Web API 2017 release.

 

Most of the documentation for OSI Pi is not accessible to the general public so I cannot create a specific example.  I'd be happy to work with you directly if you are so inclined.  Please send me a private message and we can connect if you would like to pursue this option.

 

However, here is an example of using OpenID to access your Google profile picture (if you have a Google account ). 

 

Names Default To Here( 1 );
 
/*
Note: the "code" parameter is set automatically after the redirect occurs
*/
auth_url = "https://accounts.google.com/o/oauth2/v2/auth";
token_url = "https://www.googleapis.com/oauth2/v4/token";
redirect_url = "http://localhost/myapp/";
client_id = "581786658708-elflankerquo1a6vsckabbhn25hclla0.apps.googleusercontent.com";
client_secret = "3f6NggMbPtrmIBpgx-MK2xXK";
scope = "openid profile";
auth_fields = [=> ];
token_fields = [=> ];
			 
oauth2 = New OAuth2();
oauth2 << Grant Type( "Authorization Code" );
oauth2 << Auth URL( auth_url );
oauth2 << Token URL( token_url );
oauth2 << Redirect URL( redirect_url );
			 
auth_fields["scope"] = scope;
auth_fields["client_id"] = client_id;
token_fields["client_secret"] = client_secret;
			 
oauth2 << Auth Fields( auth_fields );
oauth2 << Token Fields( token_fields );
			 
auth_header = oauth2 << Get Auth Header();
request = New HTTP Request( URL( "https://www.googleapis.com/oauth2/v3/userinfo" ), Headers( {auth_header} ), Method( "GET" ) );
data = request << Send;
If( !Is Empty( data ),
	json_jsl = Parse JSON( data );
	If( json_jsl << Contains( "picture" ),
		picture_url = json_jsl["picture"];
		New Window( "Example", Picture Box( Open( picture_url ) ) );
	,
		Show( data )
	);
);

 cheers,

Stan

CAPEGA
Level III

Re: How do I use Kerberos authentication HTTP request

Hi @stan_koprowski ,

 

Thanks for your suggestion, those mechanisms are maybe very common on the (public) internet but inside a company (private) network, it is not that obvious.  So to get back to the original question : is there an option of the JMP HTTP request object that will be compatible with the Windows authentication mechanism that is in place today with all our PI servers ?

 

Cheers,

stan_koprowski
Community Manager Community Manager

Re: How do I use Kerberos authentication HTTP request

Hi @CAPEGA,

I missed this one...Sorry for the long delay in responding to this post.

To use Kerberos to negotiate with http request you can use the following:

Password(":") 

 

// use webids for retrieving tags; get tag for particular webid 
	For( i = 1, i<=NItems(webids), i++,
		url_str = srvrname || "/streams/" || webids[i] || "/value";
		strms = New HTTP Request(
			 URL( url_str ),
				Method( "get" ),
				Headers( {"Accept: application/json"} ),
				Password(":") //for Kerberos authentication
		) << Send;

		dt_strms = json to data table( strms );
		//convert timestamp to JMP date format
		dt_strms << New Column( "Time",
		Numeric,
		Format( "y/m/d h:m:s", 22, 0 ),
		Input Format( "y/m/d h:m:s", 0 ),
		Formula(
				Try(
					delims = "-:TZ";
					rowWords = Words( :Timestamp, delims );
					{};
					YearChoice = 1;
					{};
					{};
					Date MDY( Num( Uppercase( rowWords[2] ) ), Num( rowWords[3] ), Num( rowWords[1] ) + 0 ) + Num( rowWords[6] )
					+Num( rowWords[5] ) * 60 + (Num( rowWords[4] ) + 0) * 3600 + If( Num( rowWords[4] ) < 12,
						0,
						0
					);
				)
			)
		);
		dt_strms = json to data table( strms, Invisible );  //hide table
		//concatenate into a single table
		If( i == 1, dt_tag_rslts = New Table( "Stream Results", Invisible );
		,
			dt_tag_rslts << Concatenate( Data Table( dt_strms), "Append to first table" );
			Close( dt_strms, "No Save" );
		);
	);

Re: How do I use Kerberos authentication HTTP request

If you don't have to log into a realm then this:

//kerberos
url = "http://my_server_with_kerberos/some_endpoint";
request = New HTTP Request(
	Method("GET"),
	URL(url),
	Password(":")
);
request << Send;

Should do it. Note the Password(":");

 

If you do need to log into your company's realm, then something like this (this does a form-based login):

//login to company realm
url = "https://corporate_realm/login";

values = AssociativeArray();
values["IDToken1"] = "";
values["IDToken2"] = "";

request = New HTTP Request(
	Method("POST"),
	URL(url),
	QueryString([
		"realm" => "/my_realm"
	]),
	Form(Fields(values)),
);
request << Send;

can be used.

However logging into corporate realms is generally company specific.

Chris_Rodrigues
Level III

Re: How do I use Kerberos authentication HTTP request

@stan_koprowski thanks, this solved my problem as well.  I do have a follow-up question, though.

 

Why are so many things like this un-documented, such that they require forum searches to find the solution?  Especially in this case, where the solution was so incredibly simple:

 

Password(":") //for Kerberos authentication

This could easily be placed in the JMP Help under "Examples of HTTP Requests" and then people like myself and @CAPEGA wouldn't have to search discussion threads for the answer, and if it's not already there, attempt to ask very specific questions and wait for a response.

 

Furthermore, it doesn't seem helpful to suggest using completely different authentication methods on the server, when clearly the person asking the question is attempting to access the server himself, not configure a server for others to access, or have authority over what type of authentication is used.  In this instance it took multiple rounds of back-and-forth over multiple weeks before the very simple answer was provided.  I'm glad someone else went through all this so I didn't have to.

 

Just wanted to voice a wee bit of frustration here, that's all.  Appreciate the help.

 

stan_koprowski
Community Manager Community Manager

Re: How do I use Kerberos authentication HTTP request

Hi @Chris_Rodrigues,

 

Yes we can and should do better with our documentation. If you run across other examples that you feel are incomplete or could be more detailed please feel free to submit a ticket with technical support.

@sheila_loring can you have a look at this example to be sure this gets updated in a future release of the documentation.

 

cheers,

Stan