How to run IBM BPM Rest api call from Post man client - api

I am trying to excute IBM BPM Rest api call from Post man client
Ex:
https://ustrial01.bpm.ibmcloud.com/bpm/dev/rest/bpm/wle/v1/user/current?includeInternalMemberships=true&parts=all
I set Basic Authentication values( Username, password)
I am getting status code as 200, but response i am getting some HTML code.
Can any one help me on this.Any help is greatly arreciated.

If you are getting a 200 status then why do you need the response? the status code should be good enough for you because 200 means the REST call worked fine.

I'm not familiar with the product you're referring to, but it sounds like you need to specify the media type you want to get back in an Accept header of your request. I suggest you try specifying
Accept: application/json
or (being an IBM product I'm guessing XML might be preferred)
Accept: application/xml

I tried to access BPM REST api call using Chrome's Postman & REST Console plugins.
Based on my experience, sometimes I don't no why it looks like Postman will not take auth details.
But, below steps always worked for me:
1. login to BPM account in Chrome,
2. open REST Console plugin and can access REST api GET/PUT all the time.
Hope this helps. Thanks

There are two parts to this answer, the 'long story short' part and the elaborate part.
Long Story Short:
IBM BPM Cloud exposes a variety of REST APIs to interact with its BPM engine and let it be as a service or more commonly known as 'Headless BPM' or 'BPM-as-a-Service'.
These REST API calls are secured by basic authentication i.e. by username/password
For Cloud, the username and password used for the REST API is not the same as the User's credential, which the User will use for logging into IBM BPM Process Portal or website. For on-prem solution, it is the same.
For Cloud, a 'functional' username password has to be requested for (Cloud Admin can create those) and that has to be used in the service call.
For example, if you are username/password for logging into BPM Cloud is 'johndoe#gmail.com/Test123' then there will be functional credential created for this ID (say, 'somefunctionalusernamedjohn123/8jdklajl23').
We can use this credential with every reqeust but what we should do is, use these credentials in the very 1st call to BPM server, in the response of which there will be a specific 'cookie'. We should save it and re-use that in our sub-sequent calls until it expires (you'll receive appropriate http status code if you disable 'follow redirect' in your http client config).
I had to raise a PMR to get this information. https://www.ibm.com/support/knowledgecenter/en/SSFPJS_8.6.0/com.ibm.wbpm.wle.editor.doc/topics/int_ext_services_start_process.html
Sample Java code to start a process:
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://ustrial03.bpm.ibmcloud.com:443/bpm/dev/rest/bpm/wle/v1/process?
processAppId=3u092jr02j-fghjkyk.u078992c166c1&bpdId=25.jk8989-539a-4150-
b63e-ggui67868gjkgj7&action=start")
.put(null)
.addHeader("Content-Type", "application/x-www-form-urlencoded")
.addHeader("Accept", "application/json")
.addHeader("Connection", "keep-alive")
.addHeader("Authorization", "Basic YXJrYX242232jklkljljLmNvbTpkZWZjb240QA==")
.addHeader("Cache-Control", "no-cache")
.addHeader("Postman-Token", "f46c1525-899-9897-uoh89-bb2b21a57f16")
.build();
Response response = client.newCall(request).execute();
Before finding this solution through PMR, I was desperately looking for a solution or a workaround. I noticed that my REST calls are getting redirected to an authentication page and I also noticed that, it is quite similar to what happens when you try logging into any IBM BPM Process Portal.
Once you login to IBM BPM Portal using Chrome, observe that it doesn't log you out. So I guessed the answer to be in the cookie and through trial and error, I picked up the cookie, which is PD-S-SESSIONID (named Something like that), and started using them in my service but obviously they expire in like 30-40 mins. So, I went ahead and used selenium and headless chrome to do the same thing as what I did manually. Anyway, this hack shouldn't be needed for On-Prem solution or with functional IDs for cloud.
Another very useful API wrapper which I have used in my project is:
https://github.com/egetman/ibm-bpm-rest-client. I had to make some changes to make this work with the trial account and for some other reasons.
And of course, we can't go far without the help of in-built REST API tester by IBM
e.g. https://ustrial03.bpm.ibmcloud.com/bpm/dev/bpmrest-ui/BPMRestAPITester/index.jsp
Thanks!

Related

JMeter: Record n play, also gives API access

I have recorded a login flow of an application and found some URIs like below:
/api/oauth2/initiate GET
/oauth2/authorize GET
/api/v1/oauth2/authorize GET
/api/v1/oauth2/authenticate POST
{"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}
When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.
It doesn't generate a access_token, it works via session cookies.
My question is - Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.
JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
Now the thing is replicating requests. You don't need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.
You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.
Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.
What you're recorded is OAuth2 flow and you won't be able to replay it without correlating the dynamic values.
You can have access to Google API or Facebook Graph API given you have proper access_token but I don't think you should be testing them directly, you should focus on solely your application.

Exact online REST API: POST call not working

I am trying to make a post call in Exact Online REST API. I'm trying to create a SalesInvoiceLine. I can perfectly do a GET call via my browser. I am logged in in Exact Online so I don't need authentication since this should be passed via a cookie. I tried POST via a browser. The browser prompts me to login, when I do nothing happens. I've also tried this in Postman:
I am 100% certain these initials are correct, I can login with them in Exact Online. What am I doing wrong?
If this is not the way, how can I post data to Exact Online? There are not that many concrete examples to find online.
You can't log on to the Exact Online REST API with Basic authentication, the mode you are using now.
The web service uses OAuth as authentication mechanism, meaning you have to acquire a token first. The steps to do so are outlined in the official documentation.
It will need some work on your end to register an app, get the flow up and running. Depending on your business needs, you might be helped with one of the apps for Exact Online by the company I work for.
You need to retrieve the CurrentDivision through GET Request https://{Base Uri}/api/v1/current/Me only from OAuth then you need to assign
CurrentDivision to whatever may be the API call .../api/v1/{CurrentDivision}/../....
Without authorization by Auth 2.0, neither is impossible.
To authorize the ExactOnline API calls you have to do the following:
Register the app in the developer portal. Bear in mind that you have to do a separate registration for French, UK or Dutch version of ExactOnline (this is indeed a pain).
In case you want your application to be used by other accounts than yours, you have to submit the app for validation, this usually takes 2-3 weeks.
EO uses standard OAuth 2.0 schema (very similar to what Google is using with their services). You have to use endpoint GET /api/oauth2/auth for building an authorization link and endpoint POST /api/oauth2/token for obtaining both access and refresh tokens.
Please bear in mind that many Auth 2.0 services are proving long-lasting refresh token. This is not the case of EO. The refresh token is invalidated every time when the access token is requested (endpoint POST /api/oauth2/token). With access token new refresh token is supplied, so make sure you update you refresh token as well.
The access token is placed in HTTP header as "Authorization: Bearer {{ACCESS_TOKEN}}"
In case you want to automate the EO API calls and do not want to code anything on your own, you can try one of the pre-build Exact Online API connectors, created by the company I work for.

Get Nike API Access Key

I am trying to make requests to the Nike+ API to get information but I do not know where to get a long-term access token from.
I know that I am making the actual request correctly (using AJAX) because I send the same request that Nike+ send when using their test console (I take it from the Chrome network tab when the test console sends). This request works for about an hour before saying the token has expired.
How do I get a long-term token? I have looked around the API and can't find it which makes me think I am missing something pretty obvious here.
Update (12/09/2016)
I need to have a client id to start making the implicit flow requests. I took one from the network tab of the chrome browser (from when I logged in) and used it as a parameter(as well as other things) for the first api call but it said it couldn't load partner details.
Any ideas? Am i even allowed to do what I want to do?
Nike+ API uses OAuth 2 for authentication. In his API there is no long-term token, but you can use refresh_token (30 days) to get new access_token (bound with expired_in) when your authentication expires and get unauthorized response. You can read more at Nike+ API documentation.

How to connect backend service with philips hue bridge remotely?

I'm looking to write a philips hue service that needs to allow users to register their hue bridge with my service. This service would change the color of bulbs based on an event. I'm aware that I can use IFTTT but in this scenario, I'd like to not use IFTTT and I'd like to register my website with philips hue's apps.
Any idea how I can do this? Your help is very much appreciated. Thanks!
EDIT: Not sure why I was down voted but I definitely did do my research. I looked on philips hue's developer website and couldn't find anything that was explicit on their APIs. I also looked through the iOS SDK and didn't see any methods that would trigger the pairing routine for remote devices. So far, the only example I have of this working (outside of Philips' products is the IFTTT service, which allows for an entry to be added into the 'My Apps' section).
TLDR: I wrote an API: https://github.com/jarvisinc/PhilipsHueRemoteAPI
I answered this question on my technical blog (http://blog.paulshi.me/technical/2013/11/27/Philips-Hue-Remote-API-Explained.html), which I will post here:
The question actually comes as two part:
Authentication
Remote Control
Authentication
I haven't figure out a reliable way to do authentication automatically. The following procedures needs to be automated: The idea is to fake as official iOS APP which has the ability to control remotely when enabled. We will need to get BRIDGEID and ACCESSTOKEN to pass the authentication step for remote control.
Find your BRIDGEID from https://www.meethue.com/api/nupnp. (or in My bridge page on the meethue website and by clicking on "Show me more")
Get ACCESSTOKEN
www.meethue.com/en-US/api/gettoken?devicename=iPhone+5&appid=hueapp&deviceid=**BRIDGEID**
Right click on "BACK TO THE APP" and write down ACCESSTOKEN inside the link it redirect to
phhueapp://sdk/login/**ACCESSTOKEN**
Basically it is a hack to get your access token. You fake your app as the official iOS Hue App, and ask for access token that way. I am not sure there is an easier way out there, if you do know one, please do comment below.
You can potentially automate it by doing simulated log-in session and grab the the ACCESSTOKEN by scraping the page content. But I consider it highly unreliable because any change to the official page will likely break it.
I wrote this script that allows the automation of getting ACCESSTOKEN as of today, but I don't guarantee it will work tomorrow for the reason I explained above :P
Currently, this OAUTH process only works with official apps. There might be a slight chance that they will open it to other 3rd party apps.
Remote Control
Once authentication is done, this part can be done automatically. There are 2 known private endpoints for sending control command and getting all the status related to the hue bridge.
Sending Command Endpoint:
POST https://www.meethue.com/api/sendmessage
Getting Status Endpoint:
GET https://www.meethue.com/api/getbridge
Sending Command Endpoint
URL: https://www.meethue.com/api/sendmessage
Method: POST
URL Parameters:
token=**ACCESSTOKEN** (which you obtained earlier)
Request header
content-type=application/x-www-form-urlencoded
body
clipmessage={ bridgeId: "**BRIDGEID**", clipCommand: { url: "/api/0/**APIENDPOINT**", method: "**METHOD**", body: **JSONCOMMAND** } }
BRIDGEID is the same one you obtained earlier
APIENDPOINT the same as official API /api/<username>/*** by removing /api/<usename>/ part
METHOD PUT/GET/POST/DELETE the same 4 method as official API. Despite GET really doesn't work since all response from the Sending Command Endpoint is 200 explained in the following part, while DELETE is not tested
JSONCOMMAND The actual command body for example {"on":true}
Getting Status Endpoint
URL: https://www.meethue.com/api/getbridge
Method: GET
URL Parameters:
token=**ACCESSTOKEN**
bridgeid=**BRIDGEID**
Request header
content-type=application/x-www-form-urlencoded
Limitations
Current limitation is you cannot immediately know from the response whether your control command succeeded like the official API. All the response you get from calling the Sending Command Endpoint is pretty much always <200> if you are doing it correctly. But you can always pull all the status related to the Hue bridge from the Getting Status Endpoint.
Remote Control API
I wrote Philips HUE Remote API to specifically solve the remote control problem.
Enjoy :)
Paper
For full documentation please refer to this excellent paper:
Hacking Lightbulbs: Security Evaluation of the Philips Hue Personal Wireless Lighting System by Nitesh Dhanjani
I did some investigation by following the steps of #paul-jianer-shi however the access token are not shown in the generated HTML.
I think the Hue Portal has been updated and removed the way it potentially shows the access token.
I wrote a blog post about doing Remote Hue operations by reusing the access token of another application, like IFTTT. The main change is how to get your hands on that access token. The token in shown in the 'My Apps' section of the Hue Portal. Check the (De-activate) link. It contains the access token.
Next step will be to let Hue Portal trust my own app.
Philips plan to make the remote API available to 3rd parties(it's already used by IFTTT and meethue.com).
There is currently a form on the developer website to request an early access(must login):
http://www.developers.meethue.com/content/remote-api

UserAuthentication via Flattr-REST: No PIN returned?

I'm trying to write a new application using the Flattr REST-API version 1 (not the beta v2). The application acquires a request token at first, which seems to work properly. But I run into a problem authenticating the user. The link created for authentication looks like this:
https://api.flattr.com/oauth/authenticate?access_scope=read,click&oauth_token=MY_REQUEST_TOKEN
Clicking the link everything seems alright. Information about the application and the scope requested is shown, but clicking "Authenticate", there's no pin code, but the following error from https://flattr.com/apps/pincode/MY_REQUEST_TOKEN:
Something went wrong. Please try again
BUT now the Application IS in the authorized application list of the user though that doesn't really help if the user can't get the pin code...
The Application type is set to client. It's the first time I try to work with the API so I'm not sure if I miss anything important? Would be grateful for some help.
Just as an update: We finally changed to API v2. Getting Authorization for our application feels a bit clumsy, as we set the redirecturi to some webpage, where we display the returned code and let the user copy&paste it into our client application... we kind of made our own pincode-flow :/
If possible, please use the v2 api, which uses oauth2 + bearer token.
However, the new API doesn't support authentication using the pincode flow.
As stated by Maike this is probably a bug that has surfaced yet again :(
I'll create an internal bug ticket and try to get it fixed.
The pincode isn't a feature planned. You can use the oauth2 "implicit grant" to authenticate the resources owner. This isn't documented at the moment but is possible.
When you do the request to https://flattr.com/oauth/authorize you pass the response_type token instead of code. This will append a access_token fragment in your callback URL. In your http client it might be possible to catch the 302 from our server and parse the access_token from the fragment.
All this requires a http client in your application whom you can control the flow inside your app.