- This topic has 8 replies, 5 voices, and was last updated 1 year, 1 month ago by
.
-
Topic
-
Hi,
REST API using java/ws-rawclient outbound.
Need to send GET request to retrieve oauth2 token, then plug that token into https header {Bearer token} on outbound POST msg with HL7 payload. Token can also expire so I need to evaluate token from response and re-issue token request if expired.
Have the GET working, see the encrypted token in the header of ib-reply but can’t seem to extract it from the USERDATA. Have tried “keylget” and “string first” [looking for “token”] in userdata but not getting token value returned.
Output from Clover (19.1.1) logfile below:
Suggestions appreciated. Thanks!
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:08/31/2022 16:04:24] org.apache.cxf.interceptor.LoggingOutInterceptor:INFO: Outbound Message
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] —————————
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] ID: 3
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Address: https://masshiway-services-cert.hhs.state.ma.us/HHS/API/jwt/gettoken?scope=SyndromicAPIService&id=123
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Http-Method: GET
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Content-Type:
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Headers: {Authorization=[Basic VFVGVFNNRURDRVJUOiRIbDchZWUkdXJucSM4MDA=], Accept=[*/*]}
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Payload: MSH|^~\&||… …OBX|7|TX|10182-4^History of travel Narrative^LN|7|No||||||F
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] ————————————–[java:java:INFO/1:MDPH_Syndromic_REST_API_0:08/31/2022 16:04:24] org.apache.cxf.interceptor.LoggingInInterceptor:INFO: Inbound Message
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] —————————-
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] ID: 3
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Response-Code: 200
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Encoding: ISO-8859-1
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Content-Type: application/soap+xml;
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] Headers: {connection=[keep-alive], content-type=[application/soap+xml;], Date=[Wed, 31 Aug 2022 20:04:24 GMT], Keep-Alive=[timeout=75], Server=[], token=[eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJEUFY2MDEiLCJleHAiOjE2NjE5NzY1NjQuNzIsImF0b21pY3JvbGVfbW9kdWxlIjoiNDQzL0hIUy9BUEkvc2VydmljZS9ITDcvU3luZHJvbWljIiwiY2xpZW50X2lkIjoiVFVGVFNNRURDRVJUIn0.VQK2YD1zkCAConfjaXxnbTr3NwY-5GvVM8aanDMuHoCbm6KJcyORditQgA7edpEVawwMEh7TXEzxPvswmY3khYJX8Oh9Yh0aGjwSyuV2woBJNypv60saYv9YjNhdh2wAEZrD-myV9qTN4UVj-woNtj8Cr-eEHwDvW7DQgPjoMcc_jSkYI5-RteDubjqSs0HBrCT1fttDeIzHrQ5mO8gukUiXaleQhXu3Sc87eXO_OEvYD2rDMpDXQ4GwViSnukVL_-YLD3pCo_vfBkm-RLTbQfbrlNsV9tJ6mGqQzTQfhp-oByZ1dy5SkdXMBvzQ0M7ftCGuM_Z-wwZ-WjnEQsfgBQ], transfer-encoding=[chunked], X-Backside-Transport=[OK OK,FAIL FAIL], X-Global-Transaction-ID=[23056659630fbec8165abce1]}
[java:java:INFO/1:MDPH_Syndromic_REST_API_0:–/–/—- –:–:–] ————————————–[tcl :out :INFO/0:MDPH_Syndromic_REST_API:08/31/2022 16:04:24] userdata = {httpResponseInfo OK} {httpResponseHeaders {{Keep-Alive timeout=75} {transfer-encoding chunked} {Server {}} {X-Backside-Transport OK\ OK,FAIL\ FAIL} {connection keep-alive} {content-type application/soap+xml\;} {X-Global-Transaction-ID 23056659630fbec8165abce1} {Date Wed,\ 31\ Aug\ 2022\ 20:04:24\ GMT} {token eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJEUFY2MDEiLCJleHAiOjE2NjE5NzY1NjQuNzIsImF0b21pY3JvbGVfbW9kdWxlIjoiNDQzL0hIUy9BUEkvc2VydmljZS9ITDcvU3luZHJvbWljIiwiY2xpZW50X2lkIjoiVFVGVFNNRURDRVJUIn0.VQK2YD1zkCAConfjaXxnbTr3NwY-5GvVM8aanDMuHoCbm6KJcyORditQgA7edpEVawwMEh7TXEzxPvswmY3khYJX8Oh9Yh0aGjwSyuV2woBJNypv60saYv9YjNhdh2wAEZrD-myV9qTN4UVj-woNtj8Cr-eEHwDvW7DQgPjoMcc_jSkYI5-RteDubjqSs0HBrCT1fttDeIzHrQ5mO8gukUiXaleQhXu3Sc87eXO_OEvYD2rDMpDXQ4GwViSnukVL_-YLD3pCo_vfBkm-RLTbQfbrlNsV9tJ6mGqQzTQfhp-oByZ1dy5SkdXMBvzQ0M7ftCGuM_Z-wwZ-WjnEQsfgBQ}}} {httpResponseCode 200}
[tcl :out :INFO/0:MDPH_Syndromic_REST_API:08/31/2022 16:04:24] responseCd = httpResponseCode 200[xlt :rout:ERR /0:oauth2_Test_xlate:08/31/2022 16:04:24] [0.0.422980] No reply route defined for trxid ” and destination ‘2_x_Syndromic_CrossSite’. Please define a route with ‘2_x_Syndromic_CrossSite’ as one of its destinations in “Route Replies”
Engine idle — 08/31/2022 16:04:34
-
Replies
-
-
Not sure its a keyed list. Try to echo the USERDATA separately with a few LF before and after to make it stand out. You try something like : In an IB Reply proc.
Assume USERDATA is in variable myuser
set myuser [msgmetaget $mh USERDATA]foreach ky [keylkeys myuser] {echo KEY: $ky DATA: [keylget myuser $ky]}
-
Your token should be retrievable from the USERDATA keyed list. It looks like you’re getting this keyed list back:
userdata = {httpResponseInfo OK} {httpResponseHeaders {{Keep-Alive timeout=75} {transfer-encoding chunked} {Server {}} {X-Backside-Transport OK\ OK,FAIL\ FAIL} {connection keep-alive} {content-type application/soap+xml\;} {X-Global-Transaction-ID 23056659630fbec8165abce1} {Date Wed,\ 31\ Aug\ 2022\ 20:04:24\ GMT} {token eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJEUFY2MDEiLCJleHAiOjE2NjE5NzY1NjQuNzIsImF0b21pY3JvbGVfbW9kdWxlIjoiNDQzL0hIUy9BUEkvc2VydmljZS9ITDcvU3luZHJvbWljIiwiY2xpZW50X2lkIjoiVFVGVFNNRURDRVJUIn0.VQK2YD1zkCAConfjaXxnbTr3NwY-5GvVM8aanDMuHoCbm6KJcyORditQgA7edpEVawwMEh7TXEzxPvswmY3khYJX8Oh9Yh0aGjwSyuV2woBJNypv60saYv9YjNhdh2wAEZrD-myV9qTN4UVj-woNtj8Cr-eEHwDvW7DQgPjoMcc_jSkYI5-RteDubjqSs0HBrCT1fttDeIzHrQ5mO8gukUiXaleQhXu3Sc87eXO_OEvYD2rDMpDXQ4GwViSnukVL_-YLD3pCo_vfBkm-RLTbQfbrlNsV9tJ6mGqQzTQfhp-oByZ1dy5SkdXMBvzQ0M7ftCGuM_Z-wwZ-WjnEQsfgBQ}}} {httpResponseCode 200}
This matches what the clover docs says about the format of USERDATA for web service calls. Here’s an example of the USERDATA keyed list for an outbound ws call:
{httpRequestHeaders {{Accept */*} {Cache-Control no-cache} {connection keep-alive} {Content-Length 1392} {content-type {application/soap+xml; charset=UTF-8}} {Host localhost:9003} {Pragma no-cache} {User-Agent {Apache CXF 2.4.2}}}} {httpRequestInfo {{method POST} {requestURL http://localhost:9003/xdsregistryb} {path /xdsregistryb}}}
So, to get the token in your ib reply, you would first get the USERDATA keyed list, then get the httpResponseHeaders keyed list, then get the token. You can’t use keylget to directly get token without first working your way into the nested list.
Also, I see you have an error about no reply route defined for your ws call. Not sure if that is just a benign issue for you or not. We typically set up a reply route and extract the access token with some tcl code in the reply route.
-
USERDATA was keyed list; was able to get the token by “drilling” down through the nested list, per @don-martinsanfordhealth-org suggestion. I had been trying to access token directly from the USERDATA keyed list
“So, to get the token in your ib reply, you would first get the USERDATA keyed list, then get the httpResponseHeaders keyed list, then get the token. You can’t use keylget to directly get token without first working your way into the nested list.”
… then I decoded the token so that I can check the expiration time (“exp” from below):
DecodedToken = DECODE {“alg”:”RS256″}{“iss”:”DPV601″,”exp”:1662054993.705,”atomicrole_module”:”443/HHS/API/../../..”,”client_id”:”….”}
Thanks … more to follow!
-
Update:
I’m able to send the GET request to the TOKEN endpoint, pull the token out of the https reply and evaluate token expiration time but stuck at this point.
Need to put the token in the header for subsequent POST request.
Not sure how to: 1) put the token I’ve isolated into the header ; 2) generate the POST msg once the token has been received from the response to the original GET token request
Config setup of thread is attached
As always, thanks for any feedback
-
-
Update – reinvestigating this as we got sidetracked.
Current status:
Syndromic data passing to state endpoint via outbound java/ws-rawclient thread. Two conduits defined on thread – 1) to state hl7 api svc & 2) to state api token service
Two RawConsumers defined on thread: 1) POST_API & 2) TOKEN_REQ
Thread outbound tab, pre-write Proc: tclproc to send GET request to TOKEN_REQ consumer.
On TPSinboundReply: separate tclproc to evaluate https reponse, pull token out of response headers, evaluate token expiration
Here’s where I’m stuck.
Unable to take token and put in in header for subsequent POST request to POST_API consumer and endpoint
The message data does not seem available at that point. Just have the response data; response data just sending token, no message data.
Would like to avoid using two outbound threads if possible.
Thinking I may need to store token in local file and modify GET tclproc to check the token value first, then building conditional logic to branch to GET or POST request.
Open to other suggestions. Feel I’m missing something
-
Hello Bill,
I have been able to figure out how to get oauth2 inbound token working on our world but your mileage may vary. Below is some code that I use to check a oauth2 Token from Ping Federal. Basically your code has to take the RequestHeaders from the USERDATA that the java ws process sends the inbound data to. On the inbound tab the code below is the first one on the tclproc list. From the way I understand things the code only has to check if the access token has expired and is the one your are expecting. Again your world may be different.
<pre># get the x-Access-Token out of the Request Headers
set RecievedToken [keylget RequestHeaders “x-Access-Token”]
if { $debug } { puts “$module x-Access-Token: $Recieved” }set BadToken 0 ; set period “.”
set tokenList [split ${RecievedToken} $period]
set UserTokenInfoEncoded [lindex ${tokenList} 1]
if { $debug } { puts “$module UserTokenInfoEncoded –> $UserTokenInfoEncoded” }set UserTokenInfoDecoded [base64::decode ${UserTokenInfoEncoded}]
if { $debug } { puts “$module UserTokenInfoDecoded –> $UserTokenInfoDecoded” }
set UserTokenDict [json::json2dict $UserTokenInfoDecoded]if { ![string is list $UserTokenDict] || ( [llength $UserTokenDict] & 1 ) } {
set BadToken 1
}set TokenScope [dict get $UserTokenDict scope]
set TokenClientId [dict get $UserTokenDict client_id]
set TokenExpiry [dict get $UserTokenDict exp]if { $debug } {
puts “$module TokenScope –> $TokenScope\n$module TokenClientId –> $TokenClientId\n$module TokenExpiry –> $TokenExpiry”
}set Now [getclock]
if { ${Now} < ${TokenExpiry} } {
set BadToken 0 ;# the Token has not expired
puts “$module $TokenClientId token has not expired”
} else {
set BadToken 1
puts “$module $TokenClientId token has EXPIRED”
}if { [lsearch -exact $AllowedClientList $TokenClientId] == -1 } {
set BadToken 1 ;# the client in the Access Token is not expected on this thread
puts “$module $TokenClientId is not expected on this interface as it is not in the ARGS list sent in”
}off line info:
robert . m . lindsey at questdiagnostics . com</pre>
remove spaces and replace at with the proper characters.Rob
-
Hi Bill,
Have you gotten any further with your OAUTH2 development? I need to implement an outbound REST interface with JSON Web Tokens and don’t want to reinvent the wheel.
It would be great if someone could upload the configuration details (Box?) containing both a receiving (Server) and sending (Client) threads for testing purposes.
Best regards from Germany! Jim Vilbrandt
-
- You must be logged in to reply to this topic.
