- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
How do I use Kerberos authentication HTTP request
Hi,
Does anyone knows if Kerberos autehtication can be used with the HTTP request method from jmp? I have a API I would like to connect using this authentication method. What are the different authentication methods that can be used? Is there any cURL object in JMP (https://curl.haxx.se/)? It would be nice if you could provide an example, if available. Thank you in advance.
Here is a sample of a request
request_headers = AssociativeArray();
request_headers["Authorization"] = "";//Kerberos example
request = New HTTP Request(
URL( url ), // the restAPI endpoint
Method( "Get" ),
Headers(request_headers),
Query String( // define key pairs
[["count" => limit]] // JSL associative array
)
);
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
Hi all,
For context, I am trying to connect to an OsiSoft server for which secure authentication is needed.
Just to update and clarify, I know the authentication method should be in the HTTP get method, however I am still missing how to specify the parameter for using other authentication methods. I understand that there is something similar to curl in the jmp http request method. Can anyone explain me how can we specify something similar for authentication as the following PHP code using curl? Thank you.
$url = "someurl.com";
$ch = curl_init ( $url );
curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt ( $ch, CURLOPT_SSL_VERIFYPEER, false );
curl_setopt($ch, CURLOPT_GSSAPI_DELEGATION, CURLGSSAPI_DELEGATION_FLAG);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
curl_setopt($ch, CURLOPT_USERPWD, ":");
$result = curl_exec ( $ch );
$json_o = json_decode ( $result );
var_dump($json_o);
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
Hi @CAPEGA,
Unfortunately, we will need some additional information here to assist you further.
Which host are you using, that is, are you using a Mac or Windows?
What is the endpoint you are trying to reach?
What have you tried?
Do you get any errors?
Are you using a proxy server?
cheers,
Stan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
Hi @stan_koprowski,
Thanks you for your help. See below the answers to your questions:
> What is the endpoint you are trying to reach?
url = "https://piserver123.example.com/piwebapi";
request = New HTTPRequest(
URL( url ),
Method( "Get" ),
Query String(
[["selectedFields" => "Items"]]
),
Secure(0)
);
json = request << Send();
jsl_json = Parse JSON( json );
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
Hi @CAPEGA
Thanks for the additional information. While Kerberos is an option as you stated as a valid means to establishing authentication newer more modern options in my opinion that use SSL to authenticate are preferred and are often thought of as the "current standard". With SSL you're asserting for yourself (via public/private key), whereas, in Kerberos, even with public key cryptography (PKC) for session keys, the server (3rd party) is still doing the confirmation for you. Additionally, another benefit is SSL also encrypts the transfer of data.
While Kerberos is a valid way of establishing authentication I would recommend a different option. Based on what I read using the link provided previously there are some settings for the Pi Web API that would allow for bearer authentication using OpenID connect (OAuth 2.0 based). The advantage here is that the you have one login for multiple sites. The PI administrator would need to configure these changes. This feature is available beginning with the PI Web API 2017 release.
Most of the documentation for OSI Pi is not accessible to the general public so I cannot create a specific example. I'd be happy to work with you directly if you are so inclined. Please send me a private message and we can connect if you would like to pursue this option.
However, here is an example of using OpenID to access your Google profile picture (if you have a Google account ).
Names Default To Here( 1 );
/*
Note: the "code" parameter is set automatically after the redirect occurs
*/
auth_url = "https://accounts.google.com/o/oauth2/v2/auth";
token_url = "https://www.googleapis.com/oauth2/v4/token";
redirect_url = "http://localhost/myapp/";
client_id = "581786658708-elflankerquo1a6vsckabbhn25hclla0.apps.googleusercontent.com";
client_secret = "3f6NggMbPtrmIBpgx-MK2xXK";
scope = "openid profile";
auth_fields = [=> ];
token_fields = [=> ];
oauth2 = New OAuth2();
oauth2 << Grant Type( "Authorization Code" );
oauth2 << Auth URL( auth_url );
oauth2 << Token URL( token_url );
oauth2 << Redirect URL( redirect_url );
auth_fields["scope"] = scope;
auth_fields["client_id"] = client_id;
token_fields["client_secret"] = client_secret;
oauth2 << Auth Fields( auth_fields );
oauth2 << Token Fields( token_fields );
auth_header = oauth2 << Get Auth Header();
request = New HTTP Request( URL( "https://www.googleapis.com/oauth2/v3/userinfo" ), Headers( {auth_header} ), Method( "GET" ) );
data = request << Send;
If( !Is Empty( data ),
json_jsl = Parse JSON( data );
If( json_jsl << Contains( "picture" ),
picture_url = json_jsl["picture"];
New Window( "Example", Picture Box( Open( picture_url ) ) );
,
Show( data )
);
);
cheers,
Stan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
Hi @stan_koprowski ,
Thanks for your suggestion, those mechanisms are maybe very common on the (public) internet but inside a company (private) network, it is not that obvious. So to get back to the original question : is there an option of the JMP HTTP request object that will be compatible with the Windows authentication mechanism that is in place today with all our PI servers ?
Cheers,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
Hi @CAPEGA,
I missed this one...Sorry for the long delay in responding to this post.
To use Kerberos to negotiate with http request you can use the following:
Password(":")
// use webids for retrieving tags; get tag for particular webid
For( i = 1, i<=NItems(webids), i++,
url_str = srvrname || "/streams/" || webids[i] || "/value";
strms = New HTTP Request(
URL( url_str ),
Method( "get" ),
Headers( {"Accept: application/json"} ),
Password(":") //for Kerberos authentication
) << Send;
dt_strms = json to data table( strms );
//convert timestamp to JMP date format
dt_strms << New Column( "Time",
Numeric,
Format( "y/m/d h:m:s", 22, 0 ),
Input Format( "y/m/d h:m:s", 0 ),
Formula(
Try(
delims = "-:TZ";
rowWords = Words( :Timestamp, delims );
{};
YearChoice = 1;
{};
{};
Date MDY( Num( Uppercase( rowWords[2] ) ), Num( rowWords[3] ), Num( rowWords[1] ) + 0 ) + Num( rowWords[6] )
+Num( rowWords[5] ) * 60 + (Num( rowWords[4] ) + 0) * 3600 + If( Num( rowWords[4] ) < 12,
0,
0
);
)
)
);
dt_strms = json to data table( strms, Invisible ); //hide table
//concatenate into a single table
If( i == 1, dt_tag_rslts = New Table( "Stream Results", Invisible );
,
dt_tag_rslts << Concatenate( Data Table( dt_strms), "Append to first table" );
Close( dt_strms, "No Save" );
);
);
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
If you don't have to log into a realm then this:
//kerberos
url = "http://my_server_with_kerberos/some_endpoint";
request = New HTTP Request(
Method("GET"),
URL(url),
Password(":")
);
request << Send;
Should do it. Note the Password(":");
If you do need to log into your company's realm, then something like this (this does a form-based login):
//login to company realm
url = "https://corporate_realm/login";
values = AssociativeArray();
values["IDToken1"] = "";
values["IDToken2"] = "";
request = New HTTP Request(
Method("POST"),
URL(url),
QueryString([
"realm" => "/my_realm"
]),
Form(Fields(values)),
);
request << Send;
can be used.
However logging into corporate realms is generally company specific.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
@stan_koprowski thanks, this solved my problem as well. I do have a follow-up question, though.
Why are so many things like this un-documented, such that they require forum searches to find the solution? Especially in this case, where the solution was so incredibly simple:
Password(":") //for Kerberos authentication
This could easily be placed in the JMP Help under "Examples of HTTP Requests" and then people like myself and @CAPEGA wouldn't have to search discussion threads for the answer, and if it's not already there, attempt to ask very specific questions and wait for a response.
Furthermore, it doesn't seem helpful to suggest using completely different authentication methods on the server, when clearly the person asking the question is attempting to access the server himself, not configure a server for others to access, or have authority over what type of authentication is used. In this instance it took multiple rounds of back-and-forth over multiple weeks before the very simple answer was provided. I'm glad someone else went through all this so I didn't have to.
Just wanted to voice a wee bit of frustration here, that's all. Appreciate the help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Re: How do I use Kerberos authentication HTTP request
Hi @Chris_Rodrigues,
Yes we can and should do better with our documentation. If you run across other examples that you feel are incomplete or could be more detailed please feel free to submit a ticket with technical support.
@sheila_loring can you have a look at this example to be sure this gets updated in a future release of the documentation.
cheers,
Stan