Authentication Types in Connected System

RE: Authentication Types in Connected System

Colton Walker — Tue, 14 May 2024 00:21:40 GMT

Abhay,

Thank you for your question! I want to understand your use case a little better.

Do you have a link to the documentation for the API you want to call? That would be the clearest way for me to understand and advise better.

Specifically, I want to understand the OAuth 2.0 flow that you're using. Is it the client credentials grant

Thanks,
Colton

RE: Authentication Types in Connected System

Stefan Helzle — Fri, 10 May 2024 15:02:45 GMT

Appian will add it automatically. That's the whole point of it. But maybe I am missing something...

RE: Authentication Types in Connected System

Abhay Dalsaniya — Fri, 10 May 2024 14:33:44 GMT

We are consumer of the API and need to rely on what other team have built. Is there a way in Appian to retrieve a token using user, password and then use this token along with the id and secret to call the API, all this in one go ?

RE: Authentication Types in Connected System

Mike Schmitt — Fri, 10 May 2024 14:25:36 GMT

[quote userid="250827" url="~/discussions/f/integrations/34941/authentication-types-in-connected-system/135140"]If we provide the id and secret in the Header[/quote]

Isn't the header passed over as plaintext anyway - the way you phrase it (and pardon me being slightly less familiar with this auth method) but it sounds as if your setup itself is what's violating your security requirements (i.e. the secret is being passed as header, which is plaintext, which is not allowed - this would still be true whether you figure out a way to mask the value in the configuration dialog, no? Or do I have something confused here?)

RE: Authentication Types in Connected System

Mike Schmitt — Fri, 10 May 2024 14:22:23 GMT

Dang, that's disappointing. Maybe (in the meantime) open a product use case with Appian? It seems like there should be a way to do this. (cc Peter Lewis )

RE: Authentication Types in Connected System

Abhay Dalsaniya — Fri, 10 May 2024 14:18:20 GMT

The API supports the Bearer auth type and need to pass id and secret in the header. Header will be always a plan text and will be visible. Also in above we cannot pass the user and password for oAuth EP, and hence cannot retrieve the auth token.

RE: Authentication Types in Connected System

Harsh Kumar Agarwal — Fri, 10 May 2024 14:10:47 GMT

RE: Authentication Types in Connected System

Abhay Dalsaniya — Fri, 10 May 2024 14:10:21 GMT

I did not find a way to use Credential Store fields directly in the CS or Integration object.

RE: Authentication Types in Connected System

Abhay Dalsaniya — Fri, 10 May 2024 14:09:41 GMT

This does not work for us. If we provide the id and secret in the Header, it will still be in plain text and will be visible.

RE: Authentication Types in Connected System

Abhay Dalsaniya — Fri, 10 May 2024 14:07:58 GMT

We can but is there a way to refer the id and secret from CS to pass in the Header?

RE: Authentication Types in Connected System

Harsh Kumar Agarwal — Fri, 10 May 2024 09:07:11 GMT

I hope you have already considered 'OAUTH 2.0: SAML BEARER ASSERTION FLOW' where client secret is masked.

https://docs.appian.com/suite/help/24.1/oauth_saml_bearer_assertion_flow.html

RE: Authentication Types in Connected System

Stefan Helzle — Thu, 09 May 2024 19:20:41 GMT

Why not add that client secret in the connected system instead of leaving authentication to "None"?

RE: Authentication Types in Connected System

Mike Schmitt — Thu, 09 May 2024 19:16:06 GMT

[quote userid="250827" url="~/discussions/f/integrations/34941/authentication-types-in-connected-system"]Is there a way for us to use connected system which supports the masked password and secret to achieve above scenario?[/quote]

Have you looked into whether it's possible to make this work along with the Credential Store? I don't happen to know but I'd be surprised if there isn't some way.