ITA REST API authentication method

Hannu1 · ‎2021-08-23

Hello,

When DCO was using basic authentication, we noticed that ITA requires token based authentication at least with customer data.
Do we have any option to choose which authentication method to use when having on-premise installation.

Thanks

Hannu1 · ‎2021-08-24

I did a test by logon https://<itaserver>/api/current page, the page seems also giving error message when using the interface account.

I checked if some permission is missing from the account and noticed that when giving permission to 'User Rights and Authentication Servers' then api call went throw without errors. @gsterling can I leave this permission or does this open security vulnerabilities?

Thanks

See Answer In Context

gsterling · ‎2021-08-23

Hello Hannu

Use of the REST api with ITA should require you use valid credentials from the ITA server. The capabilities in REST should then be based on the permissions of that user account. Once authenticated the same user account is then used for subsequent API calls using JWT tokens for session management.

Were you looking for other methods for accessing the REST apis?

Regards

Greg Sterling

Hannu1 · ‎2021-08-24

Hi Greg,

Thanks for helping @gsterling.

I'm using an interface account which has Desktop Client and API permission. This account can insert customer data to DCO when ITA gives an error message; "[gLve95nOS0qvzRJAlXRmoA] [442339a8cc83] [com.apc.webservice.api.server.exception.mapper.APIExceptionMapper] (default task-30 gLve95nOS0qvzRJAlXRmoA) API client error: [100001] Invalid access - User with anonymized name 442339a8cc83 does not have access to add customers (Status Code: 403)".

I was wondering if authentication has changed for customer data. Rack data can be modified using API when customer data gives an error. API document tells that Desktop Client permission should be enough for interface, is this same for customer data or what can cause the error.

Thanks

gsterling · ‎2021-08-24

Are you able to share a sample API call you're making?

API security has been tightened a bit since the DCO releases to make the API's more secure.

You are using logon credentials of a valid ITA user account when making the API call, correct? And that user account has permissions to make changes like adding customers?

If you browse to the https://<itaserver>/api/current page, logon using that user account, are you able to manually add/change a customer from that view?

Regards

Greg Sterling

Hannu1 · ‎2021-08-24

I did a test by logon https://<itaserver>/api/current page, the page seems also giving error message when using the interface account.

I checked if some permission is missing from the account and noticed that when giving permission to 'User Rights and Authentication Servers' then api call went throw without errors. @gsterling can I leave this permission or does this open security vulnerabilities?

Thanks

Anonymous user · ‎2021-08-28

@gsterling wrote:
Hello Hannu

Use of the REST api with ITA should require you use valid credentials from the ITA server. The capabilities in REST should then be based on the permissions of that user account. Once authenticated the same user account is then used for subsequent API calls using JWT tokens for session management.

Were you looking for other methods for accessing the REST apis?

Regards

Greg Sterling

Hello @gsterling,

Thanks for update and quick reply, Looking for same issue and i found lots of helpful information here, Really appreciate for help.