WSG 02.06.05.07 - Howto use Bentley STS / OAuth2 authentification ?

Question

Hi, 
 I'm writing a program which extract informations from PW datasource, using the Web Services Gateway. 
 We use Bentley IMS to connect to datasource, so I want to use the same method. The documentation mention Bentley STS and OAuth2, but is not very precise and I don't find a way to achieve that : 
 All requests having a {RepositoryId} parameter must have one of the following: 
 
 Basic Authorization header. For example: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== The Basic parameter is a base-64 encoded string "username:password". 
 Token header with a token that is understood by the plugin. Currently supported token versions are Bentley STS and OAuth2.

Does anyone can explain how to configure the header using the token, or give an example ? 
 Thanks 
 
 Benjamin

Dave Brumbaugh · Answer

BTW, planning to release an Azure Runbook compatible module soon. Will mostly wrap the functionality of the new Web API (formally known as ProjectWise Project Templating Service) but will include some token generation logic for IMS and OIDC.

Dave Brumbaugh · Answer

We've had other people asking about this and I came up with this approach. This example is PowerShell, but I think will be pretty easy to port to Python. I have not had any luck once ADFS gets involved, but YMMV. 
 The example gets a token that is valid for use with WSG for doing a file download and for passing to a regular API-based login. 
 ---[PowerShell Source below]---- 
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 
 $infoBit = ConvertTo-Json -Depth 4 @{ AppliesTo = " ">connect-bts.bentley.com" RequestType = " ">schemas.microsoft.com/.../issue" KeyType = " ">schemas.microsoft.com/.../bearer" } 
 $Text = "Your.User@company.com:YourPassword" $Bytes = [System.Text.Encoding]::UTF8.GetBytes($Text) $EncodedText =[Convert]::ToBase64String($Bytes) 
 $authVal = "Basic " + $EncodedText 
 $imsUrl=" ">ims.bentley.com/.../IssueEx" 
 $resp = Invoke-RestMethod -ContentType "Application/Json" -Method Post -Body $infoBit -Uri $imsUrl -Headers @{"AUTHORIZATION"=$authVal} 
 $xmlDoc = New-Object System.Xml.XmlDocument $xmlDoc.LoadXml($resp.RequestedSecurityToken) 
 $cert = $xmlDoc.SelectSingleNode("//*[local-name()='X509Certificate']") 
 $base64EncodedCertificate = $cert.'#text' 
 $imsDelegatedUrl=" ">ims.bentley.com/.../IssueEx" 
 $authValueDelegated = "X509 access_token=" + $base64EncodedCertificate 
 $infoBitDelegated = ConvertTo-Json -Depth 4 @{ AppliesTo = "sso://pw-integration-server/1016" RequestType = " ">schemas.microsoft.com/.../issue" KeyType = " ">schemas.microsoft.com/.../bearer" ActAs = $resp.RequestedSecurityToken AppliesToBootstrapToken = " ">connect-bts.bentley.com" } 
 $resp2 = Invoke-RestMethod -ContentType "Application/Json" -Method Post -Body $infoBitDelegated -Uri $imsDelegatedUrl -Headers @{"AUTHORIZATION"=$authValueDelegated} 
 #cmdlet from PWPS_DAB 
 $encToken2 = ConvertTo-EncodedToken $resp2.RequestedSecurityToken 
 $wsgURL = ' decide-pwce-us-ws.bentley.com/.../Bentley.PW--' $dsn = 'decide-pwce-us.bentley.com~3Adecide-pwce-us-10' $class = 'PW_WSG/Document' $id = '560ff1f5-bcab-4527-916b-6d240e0c45f8' 
 #example URL 
 # $downloadUrl = ' decide-pwce-us-ws.bentley.com/.../$file' 
 $downloadUrl = "$wsgURL$dsn/$class/$id/" + '$file' 
 #cmdlet from PWPS_DAB 
 $random = Get-RandomString -Length 10 -Characters "abcdefghijklmnopqrstuvwxyz" 
 Invoke-WebRequest -Method Get -Uri $downloadUrl -Headers @{Authorization = 'Token ' + $encToken2} -OutFile ("c:	emp\" + ($random) + ".pdf") 
 #cmdlet from PWPS_DAB 
 New-PWLogin " decide-pwce-us.bentley.com:decide-pwce-us-10" -BentleyIMS -Token $resp2.RequestedSecurityToken 
 
 I am looking for more general approaches, but this is what I've gotten to at this point. I hope is helpful. 
 Dave

Dave Brumbaugh · Answer

Correct. You do not get an auth token from WSG. 
 The easiest way is to use PowerShell. These should all work: 
 $authVal = "Basic $(ConvertTo-EncodedToken "User:Pass")" 
 $authVal = "Token $(Get-PWConnectionClientToken)" 
 $authVal = "Token $(Get-PWNonFederatedLoginToken -UserName user@co.com -Password $(ConvertTo-SecureString $pwd -AsPlainText -Force) -CreateWebToken)" 
 I assume WSG can use a SAML token as generated in the last two examples. Not something I have done. 
 If you want an easier approach to interacting with ProjectWise via Web APIs, you can use the new ProjectWise Web API that's included with the "ProjectWise Project Templating Service". 
 Here's a swagger page with examples: https://davebpwappsrv.southcentralus.cloudapp.azure.com/ProjectWiseWebAPIServiceCore/index.html 
 For hosted users, you can get this deployed by raising a service request with Managed Services asking for the installation of the "ProjectWise Project Templating Service" on your WSG server. 
 Here's a couple of articles about it: 
 https://www.linkedin.com/pulse/use-newly-released-projectwise-project-templating-brumbaugh-p-e- 
 https://www.linkedin.com/pulse/adobe-acrobat-sign-integration-has-been-added-web-api-dave

Dave Brumbaugh · Answer

I just got this to work with a Basic token: 
 $authVal = "Basic $(ConvertTo-EncodedToken "LogicalAccount:XXXXX")" 
 $url = " ">decide-pwce-us-ws.bentley.com/.../1284429e-4eb5-46b3-aa25-6d704ddf7719" 
 Invoke-RestMethod $url -Method GET -ContentType 'application/json' -Headers @{"AUTHORIZATION"=$authVal} 
 I don't know if that helps you or not. 
 Dave

Dave Brumbaugh · Answer

I&rsquo;m not sure this will answer your question, but Dan Williams posted some examples of this a few years ago now: ProjectWise SDK - Bentley IMS Login 
 BTW, I worked around this problem for another user by adding a service running locally on a configurable port from which they could obtain the IMS Token from Connection Client. Basically exposing some of the functionality we have in PowerShell via a Web API call. Kind of a kludge, but it works.

WSG 02.06.05.07 - Howto use Bentley STS / OAuth2 authentification ?

Top Replies