WSG 02.06.05.07 - Howto use Bentley STS / OAuth2 authentification ?

Hi,

I'm writing a program which extract informations from PW datasource, using the Web Services Gateway.

We use Bentley IMS to connect to datasource, so I want to use the same method. The documentation mention Bentley STS and OAuth2, but is not very precise and I don't find a way to achieve that :

All requests having a {RepositoryId} parameter must have one of the following:

  • Basic Authorization header. For example:
    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
    The Basic parameter is a base-64 encoded string "username:password".
  • Token header with a token that is understood by the plugin. Currently supported token versions are Bentley STS and OAuth2.

Does anyone can explain how to configure the header using the token, or give an example ?

Thanks

Benjamin

Parents
  • I've just been doing some work in this area and it was pointed out that there has been no answer to this.Here's a very simple PowerShell script using WSG to download files. You will need at least version 1.11.2.0 of PWPS_DAB to run this script.

    $wsgURL = 'decide-pwce-us-ws.bentley.com/.../Bentley.PW--'
    $dsn = 'decide-pwce-us.bentley.com~3Adecide-pwce-us-10'
    $class = 'PW_WSG/Document'
    $id = '560ff1f5-bcab-4527-916b-6d240e0c45f8'

    # $downloadUrl = 'decide-pwce-us-ws.bentley.com/.../$file'

    $downloadUrl = "$wsgURL$dsn/$class/$id/" + '$file'

    # requires federated account
    $token2 = Get-PWConnectionClientToken -ConnectedProjectUser dave.brumbaugh@eagle.bentley.com -ConnectedProjectPassword (Read-Host -Prompt Password -AsSecureString)

    # just for information to see the underlying SAML
    ConvertFrom-EncodedToken $token2

    $random = Get-RandomString -Length 10 -Characters "abcdefghijklmnopqrstuvwxyz"

    Invoke-WebRequest -Method Get -Uri $downloadUrl -Headers @{Authorization = 'Token ' + $token2} -OutFile ("c:\temp\" + ($random) + ".pdf")

    # alternative method for connecting to WSG with logical user account
    $logicalToken = Get-EncodedLogicalToken -User "MyUser" -Password (Read-Host -Prompt Password -AsSecureString)

    $random = Get-RandomString -Length 10 -Characters "abcdefghijklmnopqrstuvwxyz"

    Invoke-WebRequest -Method Get -Uri $downloadUrl -Headers @{Authorization = 'Basic ' + $logicalToken} -OutFile ("c:\temp\" + ($random) + ".pdf")

  • Hi Dave,

    Thank you for this workaround, it works but now my problem is to get the token, because I need to be able to use other language than powershell (like python).

    Currently my workaround is every week I have to use Get-PWConnectionClientToken from pwps_dab to get a token and store it in a file. Then I can read it from my script and use it.

    It's not convenient and not secure.

    It would be much better if I could directly get the token from Bentley IMS using oauth2 / imsoidc. But I'm very not familiar with that, and I didn't find any documentation from bentley.

    Our goal is to integrate our in-house applications with ProjectWise. And we want to do it using Rest API, because some of apps are desktop apps, but other are web apps.

  • I think I have posted previously my methodology for getting an IMS token with a non-federated account. I think there are too many callbacks and such to effectively manage getting a token for a federated account. I will look for where I posted that and put a link in here if I can find it. Dave.

  • Thanks for your response Dave,

    I use the non-federated tokens for some automations I can't do with the magnificent PWPS_DAB (automations in "serverless" environments like AWS Lambda, Azure functions, Container Apps, etc...). But in this case I am working on a web client that extends the posibilities of the Bentley's PW Web Viewer.


    From what I found out so far (we are desperate looking for a solution), our WSG instance accepts 2 kinds of token:

    1. The Delegated Service token from the Connection Client, passed as a "Token {tokenvalue}" in the Authorization header: But I cannot use this as I am developing a 100% Web Client.
    2. The Bearer token generated by the official ProjectWise Web client (connect.bentley.com and others). This token is issued by ims.bentley.com completing an OAuth2 authentication process with some special scopes (including the sso://pw-integration-server/1016 among others). This is the type I'd like to get.

    I signed up at developer.bentley.com to create some client apps that could use the ims.bentley.com authentication, but this seems to be limited to iTwin apps, so the authorization scopes to obtain WSG-compatible tokens seem to be reserved to the Bentley's ProjectWise Web applications.
    Is there any way to allow an application already created in developer.bentley.com use this WSG Oauth scopes?

    Best,

    Iñigo

  • I’m not sure this will answer your question, but Dan Williams posted some examples of this a few years ago now:  ProjectWise SDK - Bentley IMS Login  

    BTW, I worked around this problem for another user by adding a service running locally on a configurable port from which they could obtain the IMS Token from Connection Client. Basically exposing some of the functionality we have in PowerShell via a Web API call. Kind of a kludge, but it works.

  • BTW, planning to release an Azure Runbook compatible module soon. Will mostly wrap the functionality of the new Web API (formally known as ProjectWise Project Templating Service) but will include some token generation logic for IMS and OIDC.

  • THIS could be exactly what we need if the users could trigger that IMS OIDC part —I'm not sure if they will. In the meantime, I'll keep doing with workarounds and requesting to the iTwin developer / IMS team is there's something to do...


    I have the PWPTS already on my server and it looks VERY promising —too bad I spent so much time deciphering the WSG query style. Can't wait to see what you are doing in that "misterious" Apache Solr integration methods because this is something I had on my radar too Slight smile... 

    Please, keep me updated!

Reply
  • THIS could be exactly what we need if the users could trigger that IMS OIDC part —I'm not sure if they will. In the meantime, I'll keep doing with workarounds and requesting to the iTwin developer / IMS team is there's something to do...


    I have the PWPTS already on my server and it looks VERY promising —too bad I spent so much time deciphering the WSG query style. Can't wait to see what you are doing in that "misterious" Apache Solr integration methods because this is something I had on my radar too Slight smile... 

    Please, keep me updated!

Children
No Data