AnsweredAssumed Answered

Authentication and Authorization Web Service Session Tokens

Question asked by CBertagnolli Champion on Jan 27, 2015
Latest reply on Oct 26, 2018 by Shrikanth.Mayuram

Anyone know if it's possible to utilize the token value from a standard Web Agent cookie against the CA provided authentication/authorization web services?

 

-----------------------------

High Level Example

I've got 1 Web Agent application: standard web based application. And I've also got 2x applications hosting up some web services/other functions that I need to call outside of the browser and on behalf of the user.

 

I've already got an SPS hosting up the authentication and authorization web services for SOAP/REST.

 

Setup:

- AuthN/AuthZ SPS (SPS)

- Web Service App (ServiceApp)

- Web Agent App (UserApp)

- 1x Authentication directory

 

Desired Flow

- I access UserApp and log in to obtain SMESSION

- I select resource /myrequests

- UserApp takes the value of SMSESSION and passes to ServiceApp (contains appid + resource)

- ServiceApp forms SOAP and sends token+appid+resource to SPS

- SPS responds with success to ServiceApp (contains username, etc)

- ServiceApp returns requested functions to UserApp (whatever logic is built in)

- UserApp services up content

- I successfully access /myrequests

-----------------------------

 

So, the above doesn't work currently since every time the SMSESSION token value is passed to the Web Services it always denies authorization. IF I pass a Web Services token generated for appid1 --> appid2/3/4..so on, it works fine. But Web Agent token --> Web Services fails. It's not clear exactly what fails or why, but the logs just show 'authentication failed'.

 

Essentially I want to use the single token value, whether Web Service generated or Web Agent generated.

 

Am I missing something really obvious? Is this possible?

Outcomes