API Access Mechanism using OAuth2

Wrong steps provided , in step 3 POST  BODY  we must provide the code generated in step 2  so the ideal body message will be grant_type=authorization_code&client_id=118&client_secret=Ps3C1ms7FmhRAoY0lH_RsD1GtVeMYoWJ&code=K5agMuKc8j  you have missed the code argument

I am repeating Rodrigo Flores's question in the hopes that there has been any progress in the last one and a half years, but would there be any way to access the Collaborate API with a system account, in order to get data from iSheets without having to get a passcode every single time? i.e. Something that would run on a server and pull into an on-premise SQL database.

Christopher Brown, there isn't, but there is a "sneaky" way:

Use the Get Sites endpoint to look for your (token's) My Site:

https://collaborate.highq.com/sitepoint/api/14/sites?filterby=all&name=My%20Site&limit=1

In the result set will be 1 site, where the siteowner is....

{
   "siteowner": {
      "firstname": "string",
      "lastname": "string",
      "email": "string",
      "userid": 0,
   }
}

You can then use the Get User API endpoint if you need more details about yourself.

NOTE: It's not infallible, for example, maybe some clever dick might actually create a site called "My Site". So perhaps you may want to increase the limit to 10, and filter the returning matched sites, looking for the property "mysite" === true, if you want to cover all bases...

Andrew

Is there a Token Info / introspection endpoint which returns the user details based on an access token ? I have a middle tier api which will need to validate HighQ user access tokens (since Open Id /claims etc approach isnt possible/supported). Id rather not implement this with the token+username against the user api.

Ha Nguyen Danh No, and you'll notice that there is no 'log in' endpoint either. If you are implementing 'logging in' and 'logging out' in your application (which consumes our API) you are, in effect, building an abstraction on top of the OAuth2 token flow. If you feel as though its really important that you 'break' any authentication between the services, when a user hits logout in your app, you could use the token revocation endpoint?



This Stack Overflow post explains it fairly nicely.

Peter Simpson there is no mentioning about logout url, is there a logout url?

Well spotted Kristoffer Aurdal . 99% of API related requests we get in support are for Collaborate, so I hadn't actually realised that we use a different spelling here. Will ensure that the team are aware.

Hi Jim. This seems to be a publisher instance. Publisher uses UK English for the authorise link, so try this instead: https://hoganlovellsp4.highq.com/hoganlovellsp4/authorise.action?response_type=code&client_id=103&redirect_url=https%3a%2f%2fengage-staging.amicuscrm.co.uk%2f



The documentation you want to follow can be found here:

https://developerportal.thomsonreuters.com/getting-started-0

Is there some additional set up required for the first step in this process, because I just get a 404 error when trying to generate a OAuth code in step 2?

This is the URL I am going to

https://hoganlovellsp4.highq.com/hoganlovellsp4/authorize.action?response_type=code&client_id=103&redirect_url=https%3a%2f%2fengage-staging.amicuscrm.co.uk%2f

Note that this is a sandpit environment.

Thanks

Kristoffer Aurdal Thanks! I'll check it

Thanks Peter! Seems that OAuth2 authentication is more aimed to client side apps.

Rodrigo Flores I'm afraid we only currently support the OAuth2 authorization code workflow.

Ben Capps, If you reach out to your commercial account manager, they can arrange for a meeting with our solutions consultants, to scope out your requirements, as each connector deployment is somewhat custom.



https://knowledge.highq.com/help/apps-plugins-and-connectors/highq-appliance-connector-requirements



 

Kristoffer Aurdal Where is the documentation on this connector?

Rodrigo Flores You might want to look into HighQ's SQL database connector.

Hi, is there a way to automatically login to HighQ? As I'm creating an integration through database to isheets using an ETL, ask user's login credentials does not makes sense.

Is there a reason why the refresh token response does not return an `expires_at` timestamp like the initial authentication response?

Is it possible to style the login page used in the OAuth2 flow, like you can style the regular login page?

Hi Ben Capps, yeah it is not possible to change authentication ways. We managed to implement a connection on ourselves when using the PowerBI Desktop client by writing code via the Query Editor (basically passing the access code in the header with the API call), but this does not work on PBRS as it is not taken into consideration upon periodically scheduled refreshs. At the moment we are looking into a workaround to utilize Azure functions as described in this post: https://medium.com/@thyejansman/refresh-any-oauth2-api-from-powerbi-online-dataflows-using-azure-functions-fe89f8ac95cf



Sorry for my late response I think I haven't received any mail from the system about your mention. Big coincedence I actually read this right now :-)

Jonathan Arndt Did you ever get a solution to this question or find an alternative?

Hi, we are trying to utilize the API with Microsoft PowerBI Report Server, however PBRS does not support Key Authentication for web calls (compare https://docs.microsoft.com/en-us/power-bi/report-server/data-sources). Is there any chance to switch to e.g. Username+Password for the API ?

Tomas Hlavaty, if you are on version 5.1, you could get HighQ to enable the Swagger documentation. It doesn't cover all the API endpoints (yet), but taking a look at, and executing, some of the REST points may give you a better feel for what is needed.

For example, once Swagger UI is enabled by HighQ:

1. Load up the page and press the Authorize button to generate an API token.
2. Find the get site list v2 endpoint (Ctrl + F, enter get site list into the Chrome search box.
3. Open the panel and press the Try it out button
4. Scroll down to the name parameter input box and enter My Site.
5. Scroll down further and choose what format (response content type drop-down) you want the response to be: JSON or XML
6. Press the Execute button.
7. Down below is the curl statement, API url, and the response body
8. In the response body look for "siteFolderID".  This will be the ID of the folder that holds your files (My Files).

The endpoint to retrieve the list of those files is not implemented yet in the Swagger UI, however, this would be the API endpoint you will call, where you would set the query parameter (q) to:

/api/2/files?q="folderid=n"

where n is the folder ID you received in siteFolderID above.

Hope this helps,

Andrew

ok, is there any example at all showing login requests + responses + a simple request using the api, for example listing my files?

Tomas Hlavaty I am afraid not.

is there a curl example showing for example login + list of my files?

@Lars-Erik Hobber if you keep on refreshing the token before it expires then you will not need to go through this process for generating a token.

Hi, is there a limit as to how many refresh tokens one can acquire before having to go through this process again?

Leo Furze-Waddock please try out the call, you will get the useremail attribute back. I have updated the documentation accordingly.

Is it correct the 'TokenResponse' for new access tokens includes a 'useremail' attribute, but the 'TokenResponse' for renewed access tokens does not?

I am not able to identify what is my instance name in step 2. It is required at 2 places in the url. I am trying to generate an OAuth Code.

Thank you for the update, much appreciated.

Andrew Quinn we have scheduled this improvement in Collaborate 4.3 currently under development. 4.3 is scheduled to be released in Q1 2018. The "Access Type" field is a HighQ Internal setting, apologies that it is being displayed to the system admins at the moment, we plan to hide this setting in the next major release.

Hi Imran Aziz, do you have an update on when the state key parameter will be supported now that we are at 4.1.6 (or 4.2 for non-MSSQL Enterprise instances)? Also, can the Knowledge Base (or similar) be updated to include a description of what the "Access Type" field, in the Register Application form, does. Thanks in advance, Andrew

Tom Clabon we are planning to pick up the state key parameter in 4.1.3 release, we plan to release 4.1.3 in June this year.

Hi. Any update on when the state key will be supported?

We've also noticed that the redirect_uri param for the authorize request can be any url and is not checked against the one configured for the application. Will this change at any point because as per the oauth spec it should be?

For our application, because of the missing state key we need the redirect_uri to not be checked so the current behaviour is fine. However, if we release and at some point in the future redirect_uri checking is enforced, then we'd require state key support and we would need to re-release and re-deploy at all our customers

Mukesh Singh thank you for your feedback. I am afraid we do not support the State parameter in our OAuth implementation at this time, however this is part of our roadmap and will be implemented in an upcoming release.

Hello HighQ, Another basic functionality but could not find in your example above. I noticed while generating Auth code you are only passing response_type, client_id, and redirect_uri. You are not using state parameter which is one of the essential part. I tried to pass the state parameter but the return url does not carry state parameter in query string.

Could you please confirm if HighQ supports "state" parameter.

Jim Page thank you for your comment  and explanation and glad to hear that you have been able to automate the process. Going forward we plan to provide an impersonation API, which can be used through a Collaborate system admin account to generate OAuth token for other users and then call the API methods on their behalf. This will enable the integrators to only generate the OAuth token once for a system account and then be able to impersonate other users in the system. 

A use case for our business is to make automated API calls without human intervention.  Unfortunately Step 2 (Generate OAuth Code) requires a web browser and a user to enter login details (so that security context can be set) and as such causes an issue with any automated / unmanned process.  For information, I have been investigating this and written an POC which uses browser automation to take the place of the human.  This does appear to work.

Vikas Baweja The isheets API is very limited, and we suggest to use our XML feed to get data our of isheets until we update our iSheets API. Please see some details here https://developerportal.thomsonreuters.com/isheets-api on the isheets API documentation. 

Hi Imran Aziz, in iSheet API, there is no end point to get data. Can you please tell me end point to make REST call.

Vikas Baweja  please raise a support ticket in our online support system, as that is the best place to address specific client issues. The 401 error message is generally only generated if the OAuth token is either invalid or has expired. Please provide all instance specific information in the support ticket, so that we can check in our logs as to what is going on. Thanks.  

Imran Aziz 401 error was when I am sending request using OAuth Access token, It worked for folder info and file download, but it didn't work for iSheet. I am accessing this as System admin. Do I need to have some other permission on iSheet? Let me know if you want me to email you my c# code? For whitelisting our IP, our system uses messagelabs, so IP changes every time I'll still check this our system engineer. I need to pull this data to local system for some urgent projects. Is there any way to organize a call?

Vikas Baweja  the API uses OAuth as its authentication mechanism, and the reason that your are getting 401 can be due to permissions issue. Please check that you have permissions to the specific isheet and the site that you are using in your query.  There are two XML feeds, the one that you are using requires a valid session so it is only going to work when you login to the system and create a valid session, there is a second XML feed which you can view for each isheet view by going into the edit mode. The URL looks like this https://{siteurl}/{instancename}/xmlExportLink.action?linkParam=blIffusw85%2BjjhvmI9khRFWsGUuddkcz4J5wsP4vzrVRCf5RG9GjVw%3D%3D . This XML feed works based on IP white list, which can be provided in admin settings ( For this you will need to raise a support ticket http://support.highq.com and the support team will add your IP address to the white list) 

Vera Chin I have already responded to that question in this thread to Vikas Baweja , Please see the documentation in our KB to find your required details. 

Imran Aziz Thanks, When I am making ISheet Api call to uril https://{Instance}/haw/api/1/isheets?siteid=24&type=normal I get error 401 unauthorized. and when I try with xml view link https://{instacename}/haw/sheetViewExportXML.action?metaData.siteID=24&metaData.sheetId=71&metaData.sheetViewID=110&metaData.isheetExportType=xml with access token, I am getting response to login again? Can you please help?

Imran Aziz Thank you for the suggestions. One more question (hopefully), I need to export xml from an iSheet automatically so that I can then import the data from the isheet to another system, is it possible to make an API call to the isheet xml url? Thanks! 

Vera Chin yes it is possible to automate the OAuth Code generation, you can find multiple suggestions detailed here. 

Is it possible to automate the OAuth Code generation (step 2) programatically?

Vikas Baweja  you have to generate the passcode once and then you can use the refresh token to refresh the OAuth key, each time the code expires. The isheet API is not complete and I would suggest to look into this KB page for guidance https://kb-collaborate.highq.com/creating-solutions-using-the-new-isheet-xml-feed

Hi, Generate a OAuth code is just one time or do I have to do everytime? I need to use API. I need to put a overnight job to pull data from iSheet. what's best way?