View Full Version : Putting it all together: OAuth2 secured DataFlex RESTful service

Mike Peat
1-Dec-2017, 11:50 AM
Hi guys

Taking the stuff I have been doing with DataFlex RESTful web services (thanks to Harm!) to a logical conclusion, I have built a RESTful web service for the DF19.0 WebOrder application (not too tricky in itself), but have also built OAuth 2.0 (https://oauth.net/2/) authentication into it, so it can only be accessed by valid users (actually held in the WebOrder_19 WebAppUser table).

The service itself is hosted on www.unicorninterglobal.com (http://www.unicorninterglobal.com), but obviously (obvious to some :)) you can't just access it there; trying something like https://www.unicorninterglobal.com/WebOrder_19/REST/Customer/List from a browser will just get you an error: {"code":-32094,"message":"Invalid Authorization Token","data":""}, because you will not have presented a valid OAuth 2.0 token with your request. (For those who care, those tokens are JWTs (https://jwt.io/) - JSON Web Tokens - secured with an SHA256 HMAC signature... you may have noticed me posting elsewhere about having finally worked out how to do that.)

So in addition I have built a demo client for the service, using my DataFlex OAuth2 component (available here: 11538). That demo client is available on a different server: http://test.unicorninterglobal.com/WebOrderRESTClient/Index.html so as to simulate a third-party application using the service.

That demo client will allow you to log into the service using OAuth 2.0 authentication: on clicking on the Login to WebOrder Service button there you should be presented with a login page from https://www.unicorninterglobal.com (https://www.unicorninterglobal.com/) and following logging in a second page letting you chose which APIs (from a list of: Customer, Orders, Inventory, Vendor and Salesperson) and what level of access - full, read-only or none - to allow for each.

Once you allow that access the Demo application will then be able to access the WebOrder data the user you have logged in as has rights to (see the "Instructions" tab on the Demo for more information on those users and user-types, but the usual John / John will get you in with full rights to everything as a start). The standard WebOrder sample is also available at https://www.unicorninterglobal.com/WebOrder_19/Index.html, running on the same data (and indeed built into the same WebApp.exe) as the service so you can check that any changes you make through the service are relected in that.

In addition to tabs for each of the APIs, the demo also has an API Testing tab which you can use to explore calls to the API. There is usage information on that on the Instructions tab,

So far, so good, but to be of any use, third-party developers need to be able to access the service as well, so I have created a Developer Portal for it at: https://www.unicorninterglobal.com/ApplicationRegistration which will allow you to register as a developer then register your own applications, each of which will be given a "client ID" and a "client secret" to use and for which you can register the Authorized Redirect URL(s) which are required in order for the OAuth 2.0 mechanism to work.

The Introduction page in that app gives further information about what you need to build into a web application (URLs to use, etc.) for it then to be able to access the service on behalf of users (although for DataFlex developers this probably needs to be read in conjunction with the OAuth2 component documentation: https://docs.google.com/document/d/14Kvk0C-vZXBrORh6IjlEzk63Z1KuYHQ3vL5CzpXHXmY/edit#heading=h.kh6mr43zuuy7). (NOTE: due to problems with our ISP, through whom confirmation and other e-mails are sent from the portal, HotMail e-mail addresses will not work. Sorry!)

I would love it if someone with an interest would try building a client app for the service to see if the whole infrastructure will work for anybody but me (and perhaps assure me that that there is a real world out there and that this is not all just going on inside my head as I sit rocking back and forth in a corner of my padded cell! :o). It could be a DataFlex webapp, or anything else (Johan, my PHP-lovin' friend... feel like a challenge? :)).


Roel Westhoff [W4]
2-Dec-2017, 06:34 AM
Hi Mike,

Santa Claus has come early.
Let's get unpacking :-)


See you in Edinburgh,


2-Dec-2017, 07:28 PM
Well done Mike. I wish I had time to work with this. Sounds great!

Mike Cooper
3-Dec-2017, 04:18 AM
Thanks Mike.

I am interesting in giving this a shot but am tied up until about mid-January.


4-Dec-2017, 09:01 AM

available here: DFOAuth2-Beta2.zip (https://support.dataaccess.com/Forums/attachment.php?attachmentid=11538&d=1512144818)

The workspace at this link is version 18.1. Can you confirm that is the latest?

Great work, thanks.

Mike Peat
4-Dec-2017, 09:07 AM

I didn't make any changes to the component - that should work OK. (If not, let me know.)


Mike Peat
11-Dec-2017, 04:24 AM
PS - since writing that I have made changes to the component, but only cosmetic ones - allowing settings from the DF code for sizing and positioning the Login window.

Will publish at some point.


9-Jan-2018, 05:05 AM
Happy New Year Mike

I've just had a skim read of your very comprehensive google doc on OAuth2

One thing I am not sure about (and feel free to tell me to RTFM because as I say I've only skim read) ...

The gist of the document as I understand it is all about ones DF webapp connecting to third party vendor services like Google, Office 365 etc etc to be able to use that vendors resources, open an office doc etc

In the post that starts this thread you say "Once you allow that access the Demo application will then be able to access the WebOrder data the user you have logged in as has rights"

This to me suggests you have setup a OAuth "vendor" at Unicorn that will serve up the WebOrder data from your server ?

So my question is, I presume this is also a WebApp but that side of the equation is not covered by your client side google doc documentation ?

In short have you documented how to create an oAuth vendor using DF that I have missed ?


Mike Peat
9-Jan-2018, 06:03 AM
Hi Focus

Skimming or no, you have the right of it. :)

The OAuth2 component published here is only about connecting DF web apps to other providers' OAuth2 secured (usually RESTful) services (there are a bunch of examples in the workspace), however it is what I used in the sample client (http://test.unicorninterglobal.com/WebOrderRESTClient/Index.html) on test.unicorninterglobal.com to connect to the OAuth2 secured service on www.unicorninterglobal.com (http://www.unicorninterglobal.com).

After explaining how (one way, at least) to create a RESTful JSON web service in DataFlex in this paper (http://www.unicorninterglobal.com/Company-White-Papers-Creating-RESTful-JSON-Web-Services-in-DataFlex-868), I then took things the logical step farther and built OAuth2 authentication and authorization into a sample service based on the standard DataFlex Order Entry sample.

I quite strongly believe that this is a way we should all be going, as I explain in another white paper (http://www.unicorninterglobal.com/Company-White-Papers-Why-you-need-a-RESTful-API-872).

Any publicly accessible web service can - and should - be secured with an API key (a shared secret, basically) known only to the provider and the consumer, but I think that if you are doing such a thing it would be better to get with the program (the prevailing industry trend) and go the whole hog for OAuth2 authentication as well.

To complete the picture I then also set up a developer portal (https://www.unicorninterglobal.com/ApplicationRegistration/) which allows you to register as a developer for the service and generate client IDs and client secrets - and register callback URLs - for it so that you can build your own clients for the service (in DataFlex you would probably use the OAuth2 component, but I'd love it if somebody could build a non-DataFlex client for it).

The whole thing is really just a proof-of-concept to demonstrate that we can do it all in DataFlex.

I have another paper in preparation (where "preparation" ATM actually means "I really must get down to writing something!" :p) which will explain all of the pieces involved, but ATM I don't intend to provide that at the level a step-by-step guide or components you can use: the whole thing was a lot of work, so commercially I need to get some payback from it, rather than giving it all away for free, I'm afraid. Sorry!


9-Jan-2018, 06:15 AM
Thanks Mike

I've obviously must have missed those white papers the first time around

I shall have a further read


10-Jan-2018, 06:16 AM
Hi Focus,

If you'd like to keep up with the articles Mike writes, you are welcome to join our mailing list, where we always highlight what he's written - just drop us an email at info@unicorninterglobal.com and we'll add you. :-)

15-Feb-2018, 09:48 AM
Very nice Job Mike, I just read everything you've put together for the RESTful services. I have Google email and Docusign working using the 19.0 JSON stuff with Seanyboy's help. What you've given us here is a somewhat standardized implementation and framework which is very cool. I have tested and used all the previous work you have done earlier. With the earlier work, I was able to get a token, but could not get any farther and the end game ended up being a lot different. I am buried beyond buried with an overhaul of my sales management application for a while, but I still have to do Constant Contact and maybe Mail Chimp. While so far, none of these companies implementations are standardized and their documentation so far always has something totally wrong to mess you up. I will give it a shot when I get there with what you have put together and let you know how it goes.

Mike Peat
15-Feb-2018, 11:15 AM
Thanks! :)

Yes, my experience has generally been that each API's documentation is wrong at some point - it's as though the guys who wrote it handed off documenting it to some intern they only discussed it briefly with around the water cooler. Frustrating! :(


Richard Hogg
15-Feb-2018, 06:07 PM
How did you find interfacing with Docusign? I'm thinking of having a look at it. We need to be able to store signed documents in our own DB rather than their cloud.


Mike Peat
16-Feb-2018, 03:15 AM

I have not tried Docusign, I'm afraid.


Richard Hogg
16-Feb-2018, 07:57 AM
Sorry Mike the question was directed at salesnav. In their post they mentioned using Docusign.