Salesforce SOAP SessionId as REST token - rest

I'm logging my users in using SOAP in my app. But then I want to use Analytics API, which is REST. But I don't want them to enter their credentials all over again.
Is there a way that I can use my already obtained SOAP sessionId as the token for REST API?
When I tried to do that, I got an authentication error back from the REST call. Did I miss something or is it just not possible?

Yes its possible, just use the SOAP session Id in the same place you'd use a access token you'd gotten via OAuth, by adding a Authorization: Bearer {sessionId} HTTP header to your REST API requests.

Related

What is the advantage of a custom API in Auth0?

Question
I got a problem with understanding some basic thing about auth0, probably someone can help me out.
In the tutorial SPA + API one of the first lines in the TDLR is this:
Both the SPA and the API must be configured in the Auth0 Dashboard
I dont understand why I need to configure the API on Auth0. My code seems to work so can anyone help me understand if I do something wrong or what the advantages are if I actually add a custom API in my dashboard?
Setup
SPA (React)
Auth0
REST API (ktor)
What I do
Created a SPA on Auth0
Login on my SPA through Auth0 to get a JWT (google token)
Sending the JWT as authentication bearer in my calls to the REST API
REST API verifies the JWT token with a JWK provider using the Auth0 url mydomain.eu.auth0.com/.well-known/jwks.json.
Authentication seems to work
Great question, I am assuming that your authentication request includes audience parameter which represents your custom API(Rest API)right now. In oauth2 terms, it is called Resource Server. Each resource server can have many permissions which you include in the scope when initiating the authentication request. Let's step back and talk about the token format. Auth0 issues token in two formats:
Opaque strings: When not using a custom API
JSON Web Tokens (JWTs): When using a custom API
https://auth0.com/docs/tokens/reference/access-token/access-token-formats#how-does-all-this-affect-the-token-format-
As explained above link, the token format depends on the audience (Custom API) parameter. Therefore, when the authentication request includes audience, auth0 issues JWT token with all necessary permission. Then, you need to validate the JWT token in your API server before returning the resources to your front end client.
It should make sense why you need to create custom API in auth0 and define permissions. If you do not create custom API in auth0, there is no way to know what kind of permission you need in the token which will generate an error(invalid audience specified)

registering a rest API with OAuth

I have written a web application which makes REST API calls to a message broker. The message broker contains already written REST APIs to which can be used to get message broker data. The message broker is written in a way in which each REST API call sends the user name and password which is encoded with base64. I need to make a login to my web app and authenticate it with OAuth.Does anyone know how to do this? How to authenticate the REST APIs with OAuth?
Step 1: Add OAuth 2.0 to your web server. This is very standard with lots of libraries available. You did not specify the Identity Provider that you will use (Google, Facebook, Auth0, Okta, etc), but each vendor has documents and libraries for you to use in your desired language.
Step 2: Add an Authorization Header to your API calls. The standard method is to add the HTTP header Authorization: Bearer access_token when making an API call.
Step 3: Add OAuth token verification to your API. When your API receives a request, it extracts the Authorization header and verifies the Bearer token. How this is done depends on the Identity Provider. For example, some vendors provide a Signed JWT (which you verify with the vendors public certificate), others provide an opaque access token (which you verify by calling the vendor's token endpoint). Add internal caching of tokens so that you don't need to verify on every API call.
If you understand OAuth 2.0 the above steps are straightforward to implement. If you don't Oracle has a set of videos which are excellent for getting started understanding OAuth.
Oracle Cloud Primers
If your desired OAuth implementation does not require users logging in and is a server to server service that you control on both ends, then you can use just part of OAuth which is Signed JWT (JWS). You create a Json data structure with your desired content and sign it with a private key. This creates a token that you can use in the above steps. You would then validate the token using your public key. You can use self-generated keypairs generated by OpenSSL or similar products for your signing and verification.

Is there a way to make sure that the google-smart-home webhook request is from Google other than validating Authorization header?

I'm developing a google-smart-home action. I want to authenticate requests by API Key.
So...
Is there a way to add my original header value to HTTPS request from Google-Smart-Home?
If there is no way...
Is there a way to make sure that the google-smart-home webhook request is from Google other than validating Authorization header?
Requests are authenticated using OAuth 2 and an authentication code flow, not an API key. There is not a way to add a header value.

Should I make access_token endpoint as part of a REST API or as a completely new service

If I have a REST API and I want to make my own authentication system is it appropriate to make an /access_token endpoint and treat it like a REST resource or should I create a seperate service for handling generation of authentication tokens etc...?
The reason I ask is this...
For a REST endpoint when you make a POST request doesn't the response want to contain a link to the resouorce so that you can GET it? What I really want to do is return the access token as part of the response of the POST request but this seems to break the paradigm of REST and would make it different from teh rest of the API, this leads me to think that the authentication should be handled by a different service.
I'll assume you're talking about the OAuth 2.0 standard, which never forces the separation between the Authorization Server and the Resource Server.
As for the other question, the access_token endpoint ought to respond to a valid POST request with a response message that contains the actual token, without this being against REST principles.

Rest Web service Implementation with ZEND

I need to develop a REST Web Service using ZEND Framework. I am new to this area. I would like to know how can I authenticate user's requests to my web service. Assume I am giving a token to all the people who use my web service. I can ask them to pass the token on every request. But Please suggest me if there and standard / better way to implement authentication for REST web service.
Thank you.
Prasad
I usually include the token in the http header with each request then on the server parse the header and validate the token.
X-Authorization-Token: <some hash value>
It's also completely acceptable to do as you are suggesting and require the user to send the token as part of the GET/POST/PUT/DELETE request as you would with a standard page. I have seen others put the value in a COOKIE as well.