Client Side Integration
Integrating to WebServices from the client side (javascript) involves some problems that need to be addressed.- Browsers are not allowed to send Http calls to other Origins different from the Origin serving the Web Page, unless CORS (Cross Origin Resource Sharing) is allowed on the remote server.
- Credentials used to Authenticate on the remote server might be stolen as all the javascript code is visible and easily accessible for the clients.
- The customer’s server perform an AuthenticateUser call to the existing Matchcode360 REST Services by using the usual credentials (Authentication and Fixed Duration Tokens).
- The customer’s server stores internally the Token obtained in the above operation, which will be valid for 24 hours.
- When the customers’s server receives a request to serve a Web Page, where the javascript calls to Matchcode360 will be performed from, the server will serve the Web Page and pass the Token obtained previously and the username to be used.
- The javascript code on the WebPage will use the username and Token passed to call Matchcode360 REST WebService, by running the executeCapture operation.
- The Token will be valid for 24 hours, and can be used in as many browser sessions as needed, as it can be used concurrently.
- The customer’s server is recommended to have more than 1 valid Token available to be served to their clients. Thus, the server won’t pass a Token that is about to expire, but other Token with some longer duration.
- A customer account can have 10 valid Tokens issued at the same time as many. Although, as already said, the same Token can be widely used for all their clients requests.
Authentication and Fixed Duration Tokens
As already explained, the Authentication operation must happen at the customer’s server side in order to get 1 or more available Tokens for the browser clients. This Authentication operation needs to send an additional parameter to let the IdM Servers know that the Token to be issued is a Fixed Duration Token. This means, the Token won’t expire based on its use (for instance one hour later the last time it was used on any Transaction). Rather, it will expire always after a fixed amount of time from when it was issued.Calling authenticateUser
The call to authenticateUser comprises the endpoint, resource string and request details: Request Type: GET Endpoint: https://idmp.gb.co.uk Resource: idm-core-rest-globalservices/(version)/authentication/authenticateUser Request: username=(yourUserName)&password=(yourPassword)&fixedduration=true Where: (version) is the current version of the Matchcode360 service. For example, for version 21a (first version released in 2021) (yourUserName) and (yourPassword) are the credentials given to you by GBG Optionally, you can also pass the parameter ipAddress to authenticateUser to tie the searching to an IP address. If ipAddress is supplied to authenticateUser, then the same IP address must be provided with subsequent executeCapture requests using this authentication token. The parameters for authenticateUser are summarised in the table below: Type: AuthenticateUserRequest| Field Name | Type | Description |
|---|---|---|
| username | String | The username used to access the system including domain name (e.g. user1@mydomain.com) |
| password | String | The user’s password |
| ipAddress | String | (Optional) The IPv4 Address of the requesting machine. Note that if an ipAddress is supplied to authenticateUser, then the same ipAddress must be provided with subsequent requests using this authentication. |
| fixedduration | String | Mandatory for Client Side Integration. This generates a “fixed duration” Token, to be used from the browser client side. Values: true. Other value than “true” would cause the Token not to be “fixed duration” |
Example authenticateUser Request
GET host/idm-core-rest-globalservices/21a/authentication/authenticateUser?username= user1@mydomain.com&password=myPassword&fixedduration=trueauthenticateUser Response
The returned data from the authenticateUser request includes:- Unique authentication token and
- Error/success codes and
- Connection details
| Field Name | Type | Description |
|---|---|---|
| authenticationToken | String | Unique authentication token to be passed into the subsequent Execute method call |
| authenticationTime | DateTime | Authentication time |
| fullUserName | String | Full user name |
| userGuid | String | The unique identifier for the user |
| username | String | User name without domain |
| domain | String | The domain name of the authenticated user |
| lastLogin | DateTime | Last login for the user |
| sessionExpiryTime | DateTime | Session expiry date and time |
| Field Name | Type | Description |
|---|---|---|
| httpStatus | String | Http Status code in the Response |
| faultType | DateTime | Sort of Error |
| errorCode | String | Error code |
| errorMessage | String | Error Message |
| transactionId | String | Transaction Id |
Running Transactions from javascript
Once there’re one or more valid Tokens available on the server side, either of them can be used to perform transaction calls from the browsers. As already mentioned, the same Token can be used concurrently from multiple browsers. When serving the Web Page, the server will write the selected valid Token on it, to be used on the subsequent javascript REST calls. The technology used on the client side to perform the calls is customer’s choice. There are multiple options, from pure javascript code or using any of the well-known javascript libraries (such as JQuery). IdM Matchcode360 Servers are ready to receive CORS calls. So the client’s javascript code must use CORS calls to perform the client-to-server HTTP Rest calls. The CORS HTTP calls are based on 2 inner calls:- PreFlight calls for the browser to know if CORS is allowed on the remote server and which operations and headers are allowed.
- Actual HTTP REST call performing the transaction.