Authenticating API with SSO

  • 1
  • Question
  • Updated 3 months ago
I am trying to make a C# console app (using the .NET SDK provided you) to automatically upload some data to ShareFile quarterly. My company uses SSO to login to ShareFile, and I am having trouble getting the API Authentication to work.

From what I can tell by reading other threads, it would appear that since we are using SSO on an organizational level, that there is no way to avoid the user having to enter data into a login form?

Is this correct? The goal of this console application is to run at night with no user input at all.

Would love any direction you could give me

Thanks

PS. Id be more than happy to provide my client_id, etc in a private email with support staff if that would help
Photo of Aaron

Aaron

  • 3 Posts
  • 0 Reply Likes

Posted 3 months ago

  • 1
Photo of Simon Fairey

Simon Fairey

  • 11 Posts
  • 0 Reply Likes
Hi,

Not sure if it helps but when we setup access from a web app once a user has manually logged in you can store the OAuth token and then when it expires just refresh it. So after the initial manual login the process should be able to run unattended.

Not sure if SSO throws a spanner in the works though. I can post some code if it'll help?

Si
(Edited)
Photo of Aaron

Aaron

  • 3 Posts
  • 0 Reply Likes
thanks for the reply! not sure if SSO will stop it, but Ill try any code you feel like posting :)
Photo of Simon Fairey

Simon Fairey

  • 11 Posts
  • 0 Reply Likes
Hi,

Actually I need to think about this and just about to head out so will post some code tomorrow but the issue is we use a redirect back to our website (you need this redirect for the OAuth to work) then once we have the OAuth JSON data we store that in a DB and then console based apps can use it. Not sure whether you can create a small webapp just to handle the initial authorisation to get the JSON token?

Si
PS: Not sure if you can use curl to get the JSON token, well I know you can, but not sure if that gives you the refresh token, can't remember off the top of my head!
(Edited)
Photo of Simon Fairey

Simon Fairey

  • 11 Posts
  • 0 Reply Likes
So currently we use a web based OAuth mechanic but I think for you you'd want to use this part from the SDK:

Password Authentication: Requires the consumer perform ShareFile account discovery, which is not currently documented. In order to complete this authentication the consumer will must know usernamepasswordsubdomain, and applicationControlPlane. In the sample below, these are assumed to have been obtained already.

  var sfClient = new ShareFileClient("https://secure.sf-api.com/sf/v3/");
  var oauthService = new OAuthService(sfClient, "[clientid]", "[clientSecret]");

  var oauthToken = await oauthService.PasswordGrantAsync(username,
    password, subdomain, applicationControlPlane);

  sfClient.AddOAuthCredentials(oauthToken); 
  sfClient.BaseUri = oauthToken.GetUri();

If you have a user in ShareFile whose credentials you can use to connect then you can create an OAuth key - https://api.sharefile.com/rest/oauth2-request.aspx and then use the aforementioned user to upload the files.

If this isn't doable because you don't have said user and SSO prevents this then you could go down the approach of creating a small web app with a single page that uses the web based authorisation pop up then stores the OAuth token as JSON somewhere central. 

The console app can then use that by converting the JSON into a valid token and it can silently refresh the token if it expires so you'd only need to run the web app once or again if the user you use revokes the OAuth permissions.

I can potentially help you with this (web app approach) if you get stuck but as my delayed response implies I'm rather busy currently!
(Edited)
Photo of Aaron

Aaron

  • 3 Posts
  • 0 Reply Likes
Thanks Simon for all the detailed information! Were exploring using curl to get the initial token for our console app. Can tell me any more about how long the token is good for, and any kinda refreshing that needs to be done?

Thanks again!
Photo of Simon Fairey

Simon Fairey

  • 11 Posts
  • 0 Reply Likes
Yeah I used curl originally when testing but forget if you get a refresh token that way, the initial token is valid for 8 hours (that's the max you can set it for) after that you'll need to use the refresh token to get a new token, found my notes from the initial curl testing I did, have sanitised it and not tested it in a while but should be close enough:

(NB: From memory "state" is meant to be something more secure :-)

Subdomain is whatever your sharefile site subdomain is

Apologies if I've missed anything below just heading out!

Testing OAuth2:
1.
https://secure.sharefile.com/oauth/authorize?response_type=token&client_id=<CLIENTID>&...

https://secure.sharefile.com/oauth/oauthcomplete.aspx#access_token=<ACCESSTOKENFROMABOVE>&...;

or
2.
https://secure.sharefile.com/oauth/authorize?response_type=code&client_id=<CLIENTID>&s...

https://secure.sharefile.com/oauth/oauthcomplete.aspx?code=<CODEFROMABOVE>&state=wibble&am...;

Then

curl -X POST "https://<SUBDOMAIN>.sharefile.c..." -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code=<CODE>&client_id=<CLIENTID>&client_secret=<CLIENTSECRET>"

and after 8 hours to refresh: (Don't refresh early it will fail and break your existing token)

curl -X POST "https://<SUBDOMAIN>.sharefile.c..." -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&refresh_token=<REFRESHTOKENFROMORIGINALREQUEST>&client_id=<CLIENTID>&client_secret=<CLIENTSECRET>"

Hoping the copy and paste hasn't broken some links if so will check later when I get time and fix if its not enough to get you going
(Edited)