Hi Shi and Dan Thanks for the OAuth2 implementation and Dan, thanks for your evaluation. I have now included an endpoint for clients to authenticate themselves before start using the API. Also, since the endpoint is included in OpenAPI, the same can be executed directly from Swagger UI.
curl -X POST "https://localhost:8443/rest/auth/token"; -H "accept: application/json" -H "Authorization: Basic YWRtaW46b2ZiaXo=" This gets you the generated token with expiry as set in security.properties file. { "statusCode": 200, "statusDescription": "OK", "successMessage": "Token granted.", "data": { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyTG9naW5JZCI6ImFkbWluIiwiaXNzIjoiQXBhY2hlT0ZCaXoiLCJleHAiOjE1OTY3MDk4MjAsImlhdCI6MTU5NjcwODAyMH0.9Hj4pkkeQowAMxPLrI_To0WTohxxgVR6FoViyx5HoboTACQZ4iqDyqiIBodkuCVsZwOTPT1RSAQJ0L_oSVMqBA", "token_type": "Bearer", "expires_in": "1800" } } The generated token can then be used to make API calls using Bearer Auth Scheme. I have updated README here : https://github.com/girishvasmatkar/ofbiz-plugins/blob/trunk/ofbiz-rest-impl/README.adoc Best, Girish On Wed, Aug 5, 2020 at 8:13 PM Daniel Watford <d...@foomoo.co.uk> wrote: > Hi Girish, > > I've been able to authenticate with the REST api using the token you > mentioned. > > I find the REST service very interesting as I think it has the potential to > drastically simplify some of the lookup-style functionality currently > implemented. > > As an extension to your PR I tried out a couple of things that might be > useful while you continue to explore REST service opportunities. > > Please see this branch: > > https://github.com/danwatford/ofbiz-framework/commits/rest-experiements-based-on-pr214 > > > There are two commits on top of PR214. > > The first commit uses REST to look up State/Province values for a given > country. This functionality is used when editing postal addresses. In this > commit I've modified the editcontactmech form to use a REST endpoint to > retrieve state/province information. If you have demo data loaded locally > you can see the result here: > > https://localhost:8443/partymgr/control/editcontactmech?partyId=Company&contactMechId=10000 > > There wasn't too much of a saving here as the controller servlet is already > configured to return JSON in response to these lookups, but making use of > REST would sidestep the need to create controller.xml entries. > > > The second commit uses REST to look up User Logins for the autocomplete > field displayed here: https://localhost:8443/partymgr/control/main > > As you type into the User Login ID field REST calls are made to endpoint > https://localhost:8443/rest/services/lookupUserLogin to search for > matching > user logins. > > The potential savings for this style of lookup are a reduction in > complexity on the client and server side. > > At the moment AJAX lookup requests are processed as regular screen > renderings, but with a decorator-loaded screen detecting that the > ajaxLookup parameter is set and then triggering > common/groovyScripts/FindAutocompleteOptions.groovy to run to perform the > search. The search results are then encoded as a piece of javascript inside > an HTML response. > The client loads that HTML response into an automatically generated div, > causing the javascript to execute and populate a global variable. > The client then reads that global variable to generate the options to be > displayed by the autocomplete widget. > > It is quite a convoluted chain of code to follow, but I imagine it was > necessary at the time to make lookups work with the screen view rendering > approach. Calling REST services instead will remove the need to generate > javascript scripts embedded in HTML responses. > > Please note, the code written is very hacky at the moment and hardcoded to > have ofbiz accessible at https://localhost:8443/. Notifying the client > code > of REST endpoints has been done by 'inappropriately reusing' other > configuration items. > > Looking forward to seeing what comes next. Perhaps we could create a new > ModelForm.RestLookupField to work similarly to ModelForm.LookupField, but > making use of REST calls instead. > > Thanks, > > Dan. > > > On Sun, 2 Aug 2020 at 11:03, Girish Vasmatkar < > girish.vasmat...@hotwaxsystems.com> wrote: > > > Hi Daniel > > > > You can use the JWT token in the README of. Sorry, if it is not clearly > > documented, this will be improved upon further as I make more changes. > > > https://github.com/girishvasmatkar/ofbiz-plugins/tree/trunk/ofbiz-rest-impl > > > > I need to implement an API endpoint that eventually generates a JWT token > > that can be issued to the client to make subsequent API calls. Until > then, > > please use the once mentioned in the README examples. That JWT has userId > > claim value as admin assuming admin would have got himself authenticated > > and a JWT was issued to him. > > > > I will soon add an API endpoint to issue JWTs and will update README > > accordingly. I hope that answers your question. > > > > Best Regards, > > Girish > > > > > > > > > > > > > > > > On Sun, Aug 2, 2020 at 3:21 PM Daniel Watford <d...@foomoo.co.uk> wrote: > > > > > Hi Girish, > > > > > > I wanted to try out some REST calls using Swagger-ui ( > > > https://localhost:8443/docs/swagger-ui.html) but don't know how to > > > authenticate to get a JWT. > > > > > > Apologies if I missed the instructions elsewhere but please could you > > > advise on how to authenticate against the REST api? > > > > > > Thanks, > > > > > > Dan. > > > > > > On Fri, 31 Jul 2020 at 09:34, Girish Vasmatkar < > > > girish.vasmat...@hotwaxsystems.com> wrote: > > > > > > > Greetings! > > > > > > > > I have created a PR to add a REST component - > > > > https://github.com/apache/ofbiz-plugins/pull/35 . Please take a look > > > > and let me know what you think and let me know if you face any > issues. > > I > > > > intend to merge it in a week from now. > > > > > > > > With the PR (https://github.com/apache/ofbiz-framework/pull/214) to > > add > > > > "action" attribute to the service definition now merged, this above > > > > component should be able to expose exportable (export=true) and > > > > actionable(action=GET|POST) services via REST. > > > > > > > > Once the changes for nested attributes (OFBIZ-11902 > > > > <https://issues.apache.org/jira/browse/OFBIZ-11902>) are done, I > will > > > also > > > > be making corresponding changes in the GraphQL plugin to account for > > > nested > > > > attributes. OFBIZ-11902 > > > > <https://issues.apache.org/jira/browse/OFBIZ-11902> will > > > > help in defining complex GraphQL mutations. > > > > > > > > I am parallelly also working on designing an XML DSL for REST that > > should > > > > allow tying up REST resources with OFBiz services. > > > > > > > > Best, > > > > Girish > > > > > > > > > > > > > > > > On Thu, Jul 9, 2020 at 6:27 PM Shi Jinghai <huaru...@hotmail.com> > > wrote: > > > > > > > > > Hi Girish, > > > > > > > > > > Yes, you got it. > > > > > > > > > > Web browser will popup a login dialog when response code is 401: > > > > > setResponseHeader("WWW-Authenticate", "Bearer > realm=\"authentication > > > > > required\""); > > > > > > > > > > The popup is skipped and then react/vue/angular can handle the > > > response: > > > > > setResponseHeader("WWW-Authenticate", "OFBiz realm=\"authentication > > > > > required\""); > > > > > > > > > > > > > > > 发件人: Girish Vasmatkar<mailto:girish.vasmat...@hotwaxsystems.com> > > > > > 发送时间: 2020年7月9日 14:54 > > > > > 收件人: dev@ofbiz.apache.org<mailto:dev@ofbiz.apache.org> > > > > > 主题: Re: REST implementation > > > > > > > > > > Hi Shi > > > > > > > > > > Thanks for taking a look at it. I have a question on > > "WWW-Authenticate" > > > > > header so please clarify and I can make appropriate changes > > > accordingly - > > > > > > > > > > All I am finding is that to prevent the pop-up, either return 403 > > > (which > > > > I > > > > > do not want to do) or not include "WWW-Authenticate" header at all > > (not > > > > > inclined to do this as well because then we would be violating the > > > spec). > > > > > Do you mean to NOT start the value of the header with "Bearer" ? > > > > > so instead of below > > > > > > > > > > *WWW-Authenticate: Bearer realm="Access to OFBiz", charset="UTF-8"* > > > > > > > > > > should we change it to > > > > > > > > > > *WWW-Authenticate: xBearer realm="Access to OFBiz", > charset="UTF-8"* > > > > > > > > > > I did not test it, but I can just change it like this without > testing > > > if > > > > > you can please confirm it will prevent the browser dialog. > > > > > > > > > > Thanks again for the review. > > > > > > > > > > Best, > > > > > Girish > > > > > > > > > > On Wed, Jul 8, 2020 at 8:45 PM Shi Jinghai <huaru...@hotmail.com> > > > wrote: > > > > > > > > > > > Hi Girish, > > > > > > > > > > > > Excellent. > > > > > > > > > > > > Only one suggestion from my quick view, when response code is > 401, > > > the > > > > > > "WWW-Authenticate" header should be set to start with a word NOT > > > > “Bearer > > > > > > …”, this can prevent web browser from popping up a login dialog. > > > > > > > > > > > > Kind Regards, > > > > > > > > > > > > Shi Jinghai > > > > > > > > > > > > 发件人: Girish Vasmatkar<mailto:girish.vasmat...@hotwaxsystems.com> > > > > > > 发送时间: 2020年7月8日 20:47 > > > > > > 收件人: dev@ofbiz.apache.org<mailto:dev@ofbiz.apache.org> > > > > > > 主题: Re: REST implementation > > > > > > > > > > > > Hi Folks > > > > > > > > > > > > I have added support for OpenApi Integration. The updated code > can > > be > > > > > found > > > > > > here : https://github.com/girishvasmatkar/ofbiz-rest-impl. > Please > > go > > > > > > through the changes and test at your end and let me know your > > > thoughts. > > > > > > > > > > > > I am planning to do some refactoring and then raise initial PR > for > > > the > > > > > > plug-in if the changes look good to everyone. > > > > > > > > > > > > Best, > > > > > > Girish > > > > > > > > > > > > > > > > > > On Wed, Jun 17, 2020 at 4:54 PM Carsten Schinzer < > > > > > > cars...@dcs-verkaufssysteme.de> wrote: > > > > > > > > > > > > > Hi Girish, > > > > > > > > > > > > > > Thanks to clarify :) > > > > > > > What caught me on the OpenAPI integration is the snippet quoted > > > below > > > > > and > > > > > > > I realize I should have read it in context. Actually then it is > > > > aligned > > > > > > > with my view. > > > > > > > > > > > > > > Warm regards > > > > > > > > > > > > > > Carsten > > > > > > > > > > > > > > >>>>> Initial implementation does not contain OpenApi > integration > > > > yet. > > > > > > And > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Daniel Watford > > > > > > > > -- > Daniel Watford >
