From the <HostName>/ServiceModel/AuthService.svc/Login authorization API respond with 4 Set-Cookie headers in the response. But according to the spec [https://datatracker.ietf.org/doc/html/rfc6265#section-4.1] , "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name."  From the client application, it can't get the all 4 header values, only first one retrievable. Could you please give a fix or suitable workaround for this.

Like 0

Like

2 comments
Best reply

Hi Anusha, 

 

it's now allowed in HTTP/2 (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.5), which specifies: 

 

8.1.2.5.  Compressing the Cookie Header Field
 
   The Cookie header field [COOKIE] uses a semi-colon (";") to delimit
   cookie-pairs (or "crumbs").  This header field doesn't follow the
   list construction rules in HTTP (see [RFC7230], Section 3.2.2), which
   prevents cookie-pairs from being separated into different name-value
   pairs.  This can significantly reduce compression efficiency as
   individual cookie-pairs are updated.
 
   To allow for better compression efficiency, the Cookie header field
   MAY be split into separate header fields, each with one or more
   cookie-pairs.  If there are multiple Cookie header fields after
   decompression, these MUST be concatenated into a single octet string
   using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
   before being passed into a non-HTTP/2 context, such as an HTTP/1.1
   connection, or a generic HTTP server application.
 
   Therefore, the following two lists of Cookie header fields are
   semantically equivalent.
 
     cookie: a=b; c=d; e=f
 
     cookie: a=b
     cookie: c=d
     cookie: e=f

Please also check out this article:

 

https://datatracker.ietf.org/doc/html/rfc6265#page-7

 

Best Regards, 

 

Bogdan L.

 

Hi Anusha, 

 

it's now allowed in HTTP/2 (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.5), which specifies: 

 

8.1.2.5.  Compressing the Cookie Header Field
 
   The Cookie header field [COOKIE] uses a semi-colon (";") to delimit
   cookie-pairs (or "crumbs").  This header field doesn't follow the
   list construction rules in HTTP (see [RFC7230], Section 3.2.2), which
   prevents cookie-pairs from being separated into different name-value
   pairs.  This can significantly reduce compression efficiency as
   individual cookie-pairs are updated.
 
   To allow for better compression efficiency, the Cookie header field
   MAY be split into separate header fields, each with one or more
   cookie-pairs.  If there are multiple Cookie header fields after
   decompression, these MUST be concatenated into a single octet string
   using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
   before being passed into a non-HTTP/2 context, such as an HTTP/1.1
   connection, or a generic HTTP server application.
 
   Therefore, the following two lists of Cookie header fields are
   semantically equivalent.
 
     cookie: a=b; c=d; e=f
 
     cookie: a=b
     cookie: c=d
     cookie: e=f

Please also check out this article:

 

https://datatracker.ietf.org/doc/html/rfc6265#page-7

 

Best Regards, 

 

Bogdan L.

 

Bogdan Lesyk,

Thanks Bogdan. It was really helpfull, will check alternative way to process from the client API side.

Show all comments

Hi community!

 

I'm trying to set up a call to a web service (the built-in no-code approach), which uses a custom HTTP header for authentication called 'X-API-KEY'.

 

I haven't found a way to add a header to the web service via the UI. Is there some way to achieve this?

 

Thanks,

Robert

Like 0

Like

3 comments

Hi Robert, 

 

Usually such operations is performed by using OData: 

 

https://academy.creatio.com/docs/developer/integrations_and_api/data_se…

https://documenter.getpostman.com/view/10204500/SztHX5Qb?version=latest

 

Please also check out this articles to find some useful tips: 

 

[Call web service] process element -

 

https://academy.creatio.com/docs/user/bpm_tools/process_elements_refere…

 

API Keys - 

 

https://swagger.io/docs/specification/authentication/api-keys/

 

 

Regards, 

 

Bogdan L.

 

 

 

Hi Bogdan,

thanks for the answer!

However, that's not quite what I was looking for ;)

 

I know of OData and how to use it. Unfortunately, the 3rd party service doesn't support it.

What I'm looking for is actually a way to add custom headers to HTTP requests when calling external web services via business processes.

 

I know I could use a script task and program it myself, but I was wondering if it also worked when using the standard web service integration.

 

Thanks,

Robert

Robert Pordes,

 

Actually we don't have practical examples of such implementation. 

 

So in this case as you said you may use a script task to achieve required result. 

 

Probably the link of how to Run business process via web-service will be also useful for you:

 

https://academy.creatio.com/docs/developer/front-end_development/creati…

 

Thank you! 

 

Regards, 

 

Bogdan L.

Show all comments

Hello all,

 

I am trying to enable OAuth 2.0 authorization for configuration web services on a on-premises Creatio v7.17/MS SQL instance. I followed this article and got stuck at Point #3 (Creating default resource). Has anyone been able to enable OAuth 2.0 successfully?? Pls find below some details reg my use case - 
 

On trying to add a default resource from the Creatio GUI, we get an error. Ref "Error.png". There is no mention of having to change/fix 'IdentityServerClientId' and 'IdentityServerClientSecret' system settings in the Academy article. The article only mentions OAuth2.0 settings. I went ahead and set the same ClientId & ClientSecret in the above two system settings also. The same error continues.

 

I have attached a few files for your reference - 

  1. 'Error' log file.
  2. 'OAuth20' log file (It says [BadRequest] invalid_scope)
  3. appsettings.json file used to setup IdentityService.
  4. There is a console error which says Ext.JSON.decode is unable to decode the JSON string. However gives no info reg which JSON string it is speaking about. Ref "ConsoleError.png"
  5. Pls find below value of all relevant system settings - 
    1. OAuth20IdentityServerUrl & IdentityServerUrl - "http://localhost:90" (This is where IdentityService is hosted)
    2. OAuth20IdentityServerClientId & IdentityServerClientId - "bpmonline-designer"
    3. IdentityServerClientSecret & OAuth20IdentityServerClientSecret - "665b6f638c2da3ecc5d3a1868eb9352f6e01ee4a"
  6. Few other data points - 
    1. Creatio installation website is still on HTTP and not on HTTPS. 
    2. Identity service website supports both HTTP & HTTPS. But setting the HTTPS url as the Server URL errors out.
Like 0

Like

4 comments

Hello, 

 

There are a few possible root causes of the issue and it's hard to tell the exact one only with the information provided and with no access to the instance. 

Please contact our support team via an email: support@creatio.com and submit the support request so we could check all the needed details. 

Thank you in advance!
Best regards, 
Anastasiia

Anastasiia Zhuravel,

Thanks Anastasiia. I have already done that

M Shrikanth,

 

I have the same issue. Did you find any solution?

 

Thanks

Mohamed

Mohamed Ouederni,

No yet Mohammed. I have written to Creatio support and the issue is yet to be resolved. 

Show all comments

Hello Community,

 

The Academy guides on how to create anonymous custom configuration services using WCF / .Net Framework - https://academy.creatio.com/docs/developer/back-end_development/configuration_web_service/configuration_web_service#title-1243-3

Suppose, I have a Creatio cloud instance on Linux using .Net Core. How does one go about creating an anonymous custom configuration service??

 

Regards
Shrikanth

Like 0

Like

4 comments
Best reply

Hello Shrikanth, 

In order to enable Anonymous service for .Net Core edition of Creatio all you need to do is to add information about this service to "AnonymousRoutes" block of ..\Terrasoft.WebHost\appsettings.json file. 
It should look like this:

"Terrasoft.Configuration.[Service name]": [
    "/ServiceModel/[Service name].svc"
]

Please note that there is no need to change service's source code.
Also, in case if "System.Web" name space is being used, it has to be changed to "Terrasoft.Web.Http.Abstractions". 

Kind regards,
Roman

Hello Shrikanth,

 

To create a configuration service you need to authorize via the AuthService.svc. Please refer to the following article: https://academy.creatio.com/documents/technic-sdk/7-16/creating-configu…

Please let us know if any questions or concerns left,

Regards,
Kseniia

 

 

Kseniia Prokopenko,

The documentation clearly says that there is way to create a configuration service with Anonymous authentication. Hope you went through the Academy link I pasted in the question.

My question was - 
The documentation only lists out the steps for the WCF based configuration services (Used by .Net Framework on Windows). How does one go about creating an anonymous service on a Linux installation of Creatio using .Net Core?

Kseniia Prokopenko,

Hi Kseniia, Request and appreciate your assistance for the above query

Hello Shrikanth, 

In order to enable Anonymous service for .Net Core edition of Creatio all you need to do is to add information about this service to "AnonymousRoutes" block of ..\Terrasoft.WebHost\appsettings.json file. 
It should look like this:

"Terrasoft.Configuration.[Service name]": [
    "/ServiceModel/[Service name].svc"
]

Please note that there is no need to change service's source code.
Also, in case if "System.Web" name space is being used, it has to be changed to "Terrasoft.Web.Http.Abstractions". 

Kind regards,
Roman

Show all comments

I am trying to configure an outbound call to a web service which requires Bearer Authentication. To authenticate, you first have to make a POST to a /token endpoint using body in application/x-form-www-urlencode format. This is a fairly common authentication scheme, but Creatio currently only supports Basic or OAuth 2.0. That's fine, I thought I'd implement the token call myself, however it appears the only content type supported is JSON. If I try to add a Body parameter, it is expecting a JSONPath. Is there some way to do this that I'm missing? Otherwise, what would it take to allow url-encoded body parameters, or add Bearer Token as a supported authentication scheme?

Like 1

Like

5 comments

Hello Aron,

 

Thank you for your question!

Please, check the screenshot below.  Token is being transferred in header: 

Please let us know if you were able to complete your business task.

 

Best regards,

Bogdan S.

I am also wondering about this.

I need to make a POST request which includes urlencodes in body.

This is the cURL of the request I'm trying to get working:

curl -X POST 'https://{server_address}/api/v2/getpersonaltoken' \
  --data-urlencode 'email={user_email}' \
  --data-urlencode 'password={user_password}'

Postman (working): https://prnt.sc/100p26e
Setup in Creatio: https://prnt.sc/100p5t4

Postman is working. But in Creatio I get this response: 

{"status":"error","message":"Email/password or login_token is missing"}

 

 

Bumping this question again

Julius,

Please use the following request parameters to get the response correctly (you need to add an "Authorization" header and two query parameters):

As a result the business process that uses the webservice with these parameters return the response correctly:

Best regards,

Oscar

Oscar Dylan,

 you are the best!

Show all comments

Hello Community!

The Creatio documentation suggests that basic authentication is only available for the OData API and not for a custom configuration web service. Anonymous/Forms authentication are the only 2 ways to authenticate for configuration web services. Would like to reconfirm this.

A typical system integration use case is the following - 
1. Creatio pings an external product/system asking it to do some asynchronous processing. 

2. External product/system pings a Creatio custom configuration call back to inform it regarding the status.

 

Typically, external products only permit registering a callback URL and do not provide for customization to do forms authentication with Creatio. How does one over come this? One way is to make the call back permit anonymous authentication but this is a bad security practice. Is there a way to enable basic authentication for custom configuration services on Creatio?

Like 0

Like

4 comments

Hello! 

 

Custom configuration service becomes available after user authentication via the AuthService.svc. If you don't have a possibility to call it directly from your integration you can create another layer of service from your side to send a response from external product and call auth service and after that configuration web service. 
https://academy.creatio.com/documents/technic-sdk/7-16/creating-configuration-service

 

Best regards, 

Dennis 

Dennis Hudson,

Hi Dennis. We are not in a position to do any customization on the external system side.

Is there anything we can do on Creatio's side to facilitate this?

M Shrikanth,

 

The only way to bypass the Auth service for configuration web services is to create an anonymous web service. As a workaround, you can path login and password to the method in this service and check the validity of credentials in this service using auth service.

Thank you Dennis!

Show all comments

Does BPM'Online support SSL-MA authentication? I have a financial services application that I need to connect to BPM'Online. I am going to develop few custom configuration service endpoints on BPM'Online that are going to be consumed by the financial services app. However, there is a requirement from the customer for adding an extra layer of security to any kind of interactions between the systems through client/server signed certificates(could be X.509 certificates) and perform mutual authentication. So, can mutual authentication  be performed on BPM'Online? 

Like 0

Like

2 comments

Would really appreciate some help here...

amanthena,

I'm not sure what is the difference between "mutual authentication" and just a simple authentication to an SSL application. According to the article by the link below, it seems like there is no difference.

https://blog.cloudboost.io/implementing-mutual-ssl-authentication-fc20ab2392b3

Please find how to call a bpm'online authentication service in the article by the link below. Please read all the article from the very beginning to the very end before creating the integration. There are lot of tricks that you have to use are described there. 

https://academy.bpmonline.com/documents/technic-sdk/7-13/executing-odata-queries-using-fiddler 

Show all comments

Is it possible to use Google as authentication provider to provide single-sign-on on BPM'online to Google accounts?

Thank's

Like 0

Like

1 comments

Dear Massimiliano,

Here is academy article regarding single-sign-on to bpm'online instances and there is no information on integration with Google accounts. We will register this as a suggestion for the improvement of bpm'online services.

Best regards,

Oscar

Show all comments