Forum Discussion

adamyocum's avatar
adamyocum
Contributor
11 years ago

Calling Modify or Create REST API methods from external domain - Authentication Options

I am working to develop an interactive user interface that will allow our community users to read and reply to posts from certain boards in our community without leaving one of our other non-lithium ...
JakeS's avatar
JakeS
Lithium Alumni (Retired)
Just a quick question; have you seen the authentication page under Community API? http://community.lithium.com/t5/Community-API/bd-p/developers-rest-api?page=authentication
This should mostly have the info you need for this; basically you can pass your sso token as a query param into an authentication/sessions/login api call and get back a REST session key that can be used subsequently to authenticate rest calls. By default this session key will last at most 24 hours, and will expire if it is unused for 30 minutes, but these values are configurable, you'd just need to open a support ticket to get them adjusted. Your diagrams all look pretty good generally, hopefully this info helps getting your service set up. One thing to note is that your login metric will be incremented by the authentication call I mentioned above; I assume this is acceptable and that the important part is that users don't have to hit a community page to authenticate, but it's worth noting.

Btw, I think cookies would not meet your use case because you would need to hit a community page to get the required cookie, and as noted they aren't the best solution for other reasons.
adamyocum's avatar
adamyocum
Contributor
11 years ago

I had read the authentication document you mentioned, from it I was 90% sure I needed to use the SSO Token / session key auth method, but wanted to rule out the cookie authentication option. Also, in my situation creating the SSO Token meant requesting a new service to be exposed by our SSO system, coded by a different department than mine. I'm confident now that cookie auth is not an option for my use case. I've started working with our other developers to design a secure service to get Lithium SSO Tokens for authenticated users. Since they are already generating tokens for the standard SSO login authentication cookie, it shouldn't be a large undertaking.

 

I've started building a javascript library to authenticate and communicate with the rest api, and things are looking like they should go well.

 

Thanks for mentioning the login metric thing. I will keep that in mind, keeping careful not to authenticate / re-authenticate unless needed to cut down on that.

 

Thanks again for your advice!

  • JakeS's avatar
    JakeS
    Lithium Alumni (Retired)
    11 years ago
    Cool, definitely ask any questions that come up while implementing this, I'll be watching this thread.