We have a requirement to call web API which uses Bearer Token authentication type and it requires client id and secret in the Header.
Before calling this API we need to get the access token using oAuth endpoint, this endpoint has authentication type as Basic Auth and it requires same client id and secret in the Header.
1. For OAuth endpoint, we have created a connected system (A) with the Basic Authentication using username and password. - Works fine.
2. For the primary API, we have created another connected system (B) with the following information.
a. Base URL: <Base URL>.
b. Authentication: None
3. Created an Integration object which uses connected system B and has following parameters in the Headers.
a. Authorization: <Token received in step #1, passed as rule input>
b. X-IBM-Client-Id: <client id, passed as constant >
c. X-IBM-Client-Secret: <client secret, passed as constant>
The above setup works fine however as per our security compliance we cannot have a secret in the constant which is non-masked.
Is there a way for us to use connected system which supports the masked password and secret to achieve above scenario?
Discussion posts and replies are publicly visible
I hope you have already considered 'OAUTH 2.0: SAML BEARER ASSERTION FLOW' where client secret is masked.
https://docs.appian.com/suite/help/24.1/oauth_saml_bearer_assertion_flow.html
This does not work for us. If we provide the id and secret in the Header, it will still be in plain text and will be visible.
The API supports the Bearer auth type and need to pass id and secret in the header. Header will be always a plan text and will be visible. Also in above we cannot pass the user and password for oAuth EP, and hence cannot retrieve the auth token.
Abhay Dalsaniya said:If we provide the id and secret in the Header
Isn't the header passed over as plaintext anyway - the way you phrase it (and pardon me being slightly less familiar with this auth method) but it sounds as if your setup itself is what's violating your security requirements (i.e. the secret is being passed as header, which is plaintext, which is not allowed - this would still be true whether you figure out a way to mask the value in the configuration dialog, no? Or do I have something confused here?)
We are consumer of the API and need to rely on what other team have built. Is there a way in Appian to retrieve a token using user, password and then use this token along with the id and secret to call the API, all this in one go ?
Abhay,
Thank you for your question! I want to understand your use case a little better.
Do you have a link to the documentation for the API you want to call? That would be the clearest way for me to understand and advise better.
Specifically, I want to understand the OAuth 2.0 flow that you're using. Is it the client credentials grant
Thanks,Colton