I'm busy writing a test harness that will validate a REST API I've been developing. In the normal usage the my REST API will be used by a Web application that is secured and authenticated by OneLogin. My test harness will therefore have to use OneLogin to authenticate before I can call my own functions. I'm struggling to understand the right workflow for logging through an API as my test harness does not have a browser. So far I've got:
- Request an Authentication Token using the Client Id and Secret (https://developers.onelogin.com/api-docs/1/oauth20-tokens/generate-tokens)
- Request a Session Token using the Authentication Token, Sub-Domain, user name and password (https://developers.onelogin.com/api-docs/1/users/create-session-login-token)
I'm not quite sure what do do with the Session Token. I suspect I might have to create a session (https://developers.onelogin.com/api-docs/1/users/create-session-via-token) but that appears to be using a different URL.
Any ideas?
Updated:
Here is the code that I'm using for that final step. I pass in the Session Token obtained in the previous step.
/** see https://developers.onelogin.com/api-docs/1/users/create-session-via-token */
public void createSession(String sessionToken) {
HttpPost httpPost = new HttpPost("https://admin.us.onelogin.com/session_via_api_token");
List<NameValuePair> postParameters = new ArrayList<>();
postParameters.add(new BasicNameValuePair("session_token", sessionToken));
try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
HttpEntity entity = new UrlEncodedFormEntity(postParameters);
httpPost.setEntity(entity);
HttpResponse response = httpClient.execute(httpPost);
int status = response.getStatusLine().getStatusCode();
System.out.println(status);
} catch (Exception e) {
e.printStackTrace();
}
}
The status code returned is 302 and the response headers contain Location: https://<my-company>.onelogin.com.
I'm taking this to mean that the last call has failed for some reason and I'm being redirected back to the log-in page.