1
votes

I'm busy writing a test harness that will validate a REST API I've been developing. In the normal usage the my REST API will be used by a Web application that is secured and authenticated by OneLogin. My test harness will therefore have to use OneLogin to authenticate before I can call my own functions. I'm struggling to understand the right workflow for logging through an API as my test harness does not have a browser. So far I've got:

  1. Request an Authentication Token using the Client Id and Secret (https://developers.onelogin.com/api-docs/1/oauth20-tokens/generate-tokens)
  2. Request a Session Token using the Authentication Token, Sub-Domain, user name and password (https://developers.onelogin.com/api-docs/1/users/create-session-login-token)

I'm not quite sure what do do with the Session Token. I suspect I might have to create a session (https://developers.onelogin.com/api-docs/1/users/create-session-via-token) but that appears to be using a different URL.

Any ideas?

Updated:

Here is the code that I'm using for that final step. I pass in the Session Token obtained in the previous step.

/** see https://developers.onelogin.com/api-docs/1/users/create-session-via-token */
public void createSession(String sessionToken) {
    HttpPost httpPost = new HttpPost("https://admin.us.onelogin.com/session_via_api_token");
    List<NameValuePair> postParameters = new ArrayList<>();

    postParameters.add(new BasicNameValuePair("session_token", sessionToken));

    try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
        HttpEntity entity = new UrlEncodedFormEntity(postParameters);

        httpPost.setEntity(entity);

        HttpResponse response = httpClient.execute(httpPost);
        int status = response.getStatusLine().getStatusCode();

        System.out.println(status);
    } catch (Exception e) {
        e.printStackTrace();
    }
}

The status code returned is 302 and the response headers contain Location: https://<my-company>.onelogin.com.

I'm taking this to mean that the last call has failed for some reason and I'm being redirected back to the log-in page.

1

1 Answers

1
votes

You suspect right.

Basically, after your server makes the back-channel requests for the token, you have to hand the token off via the front channel (user's browser) so you can establish a session, get cookies, etc... using the session_via_api_token 'endpoint' (which is a totally different sort of API from the ones to get the token in the first place)