ROPC Defined Example OAuth 2.0

Specify user credentials in the authentication request to perform API operations based on Ennov InSight security permissions.

To define client credentials:

  1. Submit a HTTPS POST request to: https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token The tenant_id format: xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx.

    Note: In the URL above common is no longer supported with the v2 oauth2 endpoints so tenant_id must be used. The following parameters are updated.

    The body of the request should include the form-data:

    Parameter Name Value
    grant_type password
    client_id xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx
    scope <registered client_id>/.default openid
    user name <user account with security permissions>
    password <password_for user_account>
    client_secret <registered client_secret>

    The Response generates an AzureBearerBody Token used in conjunction with the API X-CSRF-TOKEN access token generated in step 3.

  2. Submit an HTTPS GET request to get a token.

    Send an HTTP request (GET-request) to: http://hostname:port/insight/api/v2/token The body of the JSON response includes

    { "xAuthToken": "44B1E9C995C654E38DDD82BF708784D1" }

    with the current session ID. The response header contains the following values:

    Parameter Name Value
    X-CSRF-HEADER X-CSRF-TOKEN
    X-CSRF-PARAM _csrf
    X-CSRF-TOKEN 40d67d97-fb28-4a78-a111-5bae0ee706bb
  3. Use that token and login information to authenticate.
  4. Send a login POST-request to pass authentication using the same session (set JSESSIONID):
    Parameter Name Value
    URI: http://hostname:port/insight/api/v2/login
    Request header values:
    Content-Type: "application/json"
    X-CSRF-TOKEN: 40d67d97-fb28-4a78-a111-5bae0ee706bb. This value is retrieved as a result of the previous request. (http://hostname:port/insight/api/v2/token)
    Request body (raw):

    {"access_token":"<obtained_access_token>", "token_type":"Bearer"

    This is the Azure Generated Authorization Token gathered in steps 1 and 2.
    After successful logon, the application creates a new session and a new token to use in subsequent API calls. The response header contains the following values:
    Parameter Name Values
    X-CSRF-HEADER X-CSRF-TOKEN
    X-CSRF-PARAM _csrf
    X-CSRF-TOKEN 40d67d97-fb28-4a78-a111-5bae0ee706bb
    Cookie

    JSESSIONID=44B1E9C995C654E38DDD82BF708784D1

    The value is taken from XAuthToken form described in the step 2.
  5. Make an API call with your new token.

All subsequent REST API POST-requests (read/create/create-or-update/delete for a specific entity) are sent through "/api/v2" URI (example: http://hostname:port/insight/api/v2/event/46098/delete) with the following attributes:

Parameter Name Value
Request header values:
Content-Type: "application/json"
X-CSRF-TOKEN: 40d67d97-fb28-4a78-a111-5bae0ee706bb
Cookie:

JSESSIONID=44B1E9C995C654E38DDD82BF708784D1

The value is taken from XAuthToken form described in the step 2.
Request body: JSON object for the specific entity.

Instead of X-CSRF-TOKEN header, you can use the "_csrf" param.