WSG 02.06.05.07 - Howto use Bentley STS / OAuth2 authentification ?

Hi,

I'm writing a program which extract informations from PW datasource, using the Web Services Gateway.

We use Bentley IMS to connect to datasource, so I want to use the same method. The documentation mention Bentley STS and OAuth2, but is not very precise and I don't find a way to achieve that :

All requests having a {RepositoryId} parameter must have one of the following:

  • Basic Authorization header. For example:
    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
    The Basic parameter is a base-64 encoded string "username:password".
  • Token header with a token that is understood by the plugin. Currently supported token versions are Bentley STS and OAuth2.

Does anyone can explain how to configure the header using the token, or give an example ?

Thanks

Benjamin

Parents
  • I've just been doing some work in this area and it was pointed out that there has been no answer to this.Here's a very simple PowerShell script using WSG to download files. You will need at least version 1.11.2.0 of PWPS_DAB to run this script.

    $wsgURL = 'decide-pwce-us-ws.bentley.com/.../Bentley.PW--'
    $dsn = 'decide-pwce-us.bentley.com~3Adecide-pwce-us-10'
    $class = 'PW_WSG/Document'
    $id = '560ff1f5-bcab-4527-916b-6d240e0c45f8'

    # $downloadUrl = 'decide-pwce-us-ws.bentley.com/.../$file'

    $downloadUrl = "$wsgURL$dsn/$class/$id/" + '$file'

    # requires federated account
    $token2 = Get-PWConnectionClientToken -ConnectedProjectUser dave.brumbaugh@eagle.bentley.com -ConnectedProjectPassword (Read-Host -Prompt Password -AsSecureString)

    # just for information to see the underlying SAML
    ConvertFrom-EncodedToken $token2

    $random = Get-RandomString -Length 10 -Characters "abcdefghijklmnopqrstuvwxyz"

    Invoke-WebRequest -Method Get -Uri $downloadUrl -Headers @{Authorization = 'Token ' + $token2} -OutFile ("c:\temp\" + ($random) + ".pdf")

    # alternative method for connecting to WSG with logical user account
    $logicalToken = Get-EncodedLogicalToken -User "MyUser" -Password (Read-Host -Prompt Password -AsSecureString)

    $random = Get-RandomString -Length 10 -Characters "abcdefghijklmnopqrstuvwxyz"

    Invoke-WebRequest -Method Get -Uri $downloadUrl -Headers @{Authorization = 'Basic ' + $logicalToken} -OutFile ("c:\temp\" + ($random) + ".pdf")

  • Hi Dave,

    Thank you for this workaround, it works but now my problem is to get the token, because I need to be able to use other language than powershell (like python).

    Currently my workaround is every week I have to use Get-PWConnectionClientToken from pwps_dab to get a token and store it in a file. Then I can read it from my script and use it.

    It's not convenient and not secure.

    It would be much better if I could directly get the token from Bentley IMS using oauth2 / imsoidc. But I'm very not familiar with that, and I didn't find any documentation from bentley.

    Our goal is to integrate our in-house applications with ProjectWise. And we want to do it using Rest API, because some of apps are desktop apps, but other are web apps.

  • Hi Audrius,

    I have a use case (real) :

    • I want to extract information about documents from the datasource (not from a particular project) to build a PowerBI dashboard which is used internally to monitor the deployment and the activity in the differents hosted projects
    • We are in hosted environment, so we don't have access to the SQL server, I have to use WSG API functionalities to get data
    • I have build a python script (the language no really matters) which runs on a server, to get the data and format it into json file

    My issue is, since we only use IMS accounts, and we are federated, currently I don't know how to get a token directly from my script.

    I have to use a powershell cmdlet from pwps_dab to get a token from the connection client, store it in a file, and then use it in my script.

    In fact I would like to understand how to implement almost the same authentication method that you used for the Flow connector.

  • Benjamin, thanks for sharing your use case.

    I have no answer for how to get token as this is not my area of expertise. All I can say is that OAuth2 is currently only supported via Flow and it is not easily available for other applications. 

    Using Flow connector would certainly be a secure way and it would take care of handling connections. I have flows (same can be done with Logic Apps) that are running for months without needing any attention. 

    If you would consider using Flow connector for extracting data for PowerBI, here are points worth knowing:

    • PW Flow connector does not limit operations to a single work area, it only guides to it.You can find, query or modify any document or folder anywhere in datasource via a single connection.
    • You can use existing Saved Searches actions to query anywhere. 
    • With the next connector release in October we will add a new action that will allow making any PW WSG call. You could use it to query without using saved searches.
    • All request executions are currently limited to 100 seconds. If it is a lot of data that takes longer you may want to partition it. 

    Hope this helps. 

  • We build PowerBI dashboards all the time for customers using PowerShell. This seems like the more fit-for-purpose tool assuming you are attempting to implement as a scheduled extract (which is the way we normally do it). We also tend to populate local SQL reporting databases which is quite easy in PowerShell.

    If you are constrained to using Python/WSG, you could just put in a ticket to get a non-federated IMS account created specifically for reporting. This can be any email that you want to add to your organization and does not even have to share the domain from what I'm told. Then, you can use the token generation method I demonstrate above. You may also be able to get a logical account to work.

    If you look closely at the SAML tokens that are generated by non-federated and federated users, you'll see that the saml:confirmation method attribute differs in the tokens (HT @Robert Hook) Without implementing the ADFS callback yourself, I'm not sure you'll be able to build a valid token for the federated user. I still intend to build a sample that does this (ADFS callback), but I'm not sure about its utility in the scheduled extract, non-interactive use-case.

    Dave

  • I tried to use the cmdlet Powershell, some months ago. The issue was too big amount of data which crashes Powershell (I need to get audit trail records for all documents).

    Maybe you made some improvments / added new features in the cmdlets since that. I'll take a look.

    I agree we have a lot of clue to improve this use case (use Powershell / Flow instead of python, or use a non federated account).

    But we also have other requests from users, and we really want to avoid the C++ SDK to achieve it :

    - FME connector compatible with WSG and federated account

    - In-House script which automate document export from our datasource and import it in client CDE / BIM review platform

    - Export files for PDF / IFC / ... rendition

    - ...

  • Thank you for sharing the information.

    In any case this new release of the Flow connector looks very promising.

Reply Children
  • Hi All,

    Thank you Benjamin for your post and questions: I am in a similar situation, trying to obtain an access token only with regular REST calls.
    Did you find a solution eventually?

    @Bentley Why does it have to be so hard?
    The Flow connector must be doing this internally. @Audrius, maybe you can ask your developer colleagues to answer this post and document the query (url, headers, body) to the token endpoint, so that the rest of us do not have to waste so much time with workarounds.
    Thank you