call WEB API using Session-Based Authentication

Hi,

In my project Appian forms are embedded into web application, so SSO is configured and working embedding is success. 

One more requirement is calling Appian forms from same web page, right now using API key authentication which is working fine, but planning to change this authentication to Session-Based Authentication. 

I have looked at the Appian doc for this, https://docs.appian.com/suite/help/19.4/Web_API_Authentication.html#session-based-authentication, But couldn't get what parameters need to pass for Session-Based authentication. 

Also looked at the embedded interfaces doc https://docs.appian.com/suite/help/20.3/Embedded_Interfaces.html and referred the "Integrated jQuery Example" section there I saw invoking servlet plug-in using Session-Based Authentication, same configuration properties I have tried while calling WEB API but didn't work. I have tried below properties in request headers while calling Appian WEB API.

'Content-Type': 'application/json',
'xhrFields': {
   'withCredentials': true
}

Could you help on this to call WEB API successfully from web page using Session-Based Authentication?

Regards,
Mahesh

  Discussion posts and replies are publicly visible

Parents
  • Hi,

    In my project Appian forms need to embed into a web application, so SSO is configured and able to embed Appian forms into web application successfully. 

    One more requirement is calling Appian WEB API from the same web page, right now using API key authentication which is working fine, but planning to change this authentication to Session-Based Authentication. 

    I have looked at the Appian doc for this, https://docs.appian.com/suite/help/19.4/Web_API_Authentication.html#session-based-authentication, But couldn't get what parameters need to pass for Session-Based authentication. 

    Also looked at the embedded interfaces doc https://docs.appian.com/suite/help/20.3/Embedded_Interfaces.html and referred the "Integrated jQuery Example" section there I saw invoking servlet plug-in using Session-Based Authentication, same configuration properties I have tried while calling WEB API but didn't work. I have tried the below properties in request headers while calling Appian WEB API.

    'Content-Type': 'application/json',
    'xhrFields': {
       'withCredentials': true
    }

    Could you help on this to call WEB API successfully from a web page using Session-Based Authentication?

    Regards,
    Mahesh

Reply
  • Hi,

    In my project Appian forms need to embed into a web application, so SSO is configured and able to embed Appian forms into web application successfully. 

    One more requirement is calling Appian WEB API from the same web page, right now using API key authentication which is working fine, but planning to change this authentication to Session-Based Authentication. 

    I have looked at the Appian doc for this, https://docs.appian.com/suite/help/19.4/Web_API_Authentication.html#session-based-authentication, But couldn't get what parameters need to pass for Session-Based authentication. 

    Also looked at the embedded interfaces doc https://docs.appian.com/suite/help/20.3/Embedded_Interfaces.html and referred the "Integrated jQuery Example" section there I saw invoking servlet plug-in using Session-Based Authentication, same configuration properties I have tried while calling WEB API but didn't work. I have tried the below properties in request headers while calling Appian WEB API.

    'Content-Type': 'application/json',
    'xhrFields': {
       'withCredentials': true
    }

    Could you help on this to call WEB API successfully from a web page using Session-Based Authentication?

    Regards,
    Mahesh

Children
  • It is working now. While using session-based authentication, we need to include the below script tag on the web page then Session ID will be created. If this web application is hosted on the same origin then Appian Web API uses the same session ID(implicitly included in headers) that was created while SSO authentication. In the case of cross-origin, due to security reasons by default Web browsers don't pass headers to WEB API, so we need to pass headers explicitly if it is allowed in the web application(but not recommended due to security reasons). 

    In our case we are not allowed to pass headers explicitly, so we have used API key Authentication on cross-origin and Session-based authentication on the same origin. 

    <script src="">dev.internal.intient.com/.../embeddedBootstrap.nocache.js" id="appianEmbedded" data-signin ="OKTA" data-themeidentifier="my-project-theme"></script>