REST API Authentication Options

Hi all,

I am currently developing a custom web application that will communicate with the Epicor REST API and am wondering if anyone knows whether the REST API supports Azure authentication when it is enabled for the client and server?

To explain further, my custom web application will be available to remote users who will login using Azure AD. The hosting web server will then make server-side connections to the Epicor REST API. I have a development environment setup with the custom web application and an Epicor 10.2.300 instance. I can successfully login to the custom web application, or the Epicor instance using my Azure AD account credentials. The Epicor REST API is accessible as well, but is likely using my domain account (I will be reviewing the configuration within IIS shortly). In the custom web application I can connect to Azure AD and request an on-behalf-of bearer token for the Epicor Server or Client Azure app and pass the appropriate authorization header, but it does not appear that the REST API is anticipating an Azure AD token.

If Azure AD authentication is not supported by the REST API, is there another pass-through authentication solution anyone has implemented and would like to share about your experience?

Thanks!

1 Like

It is supported. You will need to setup you Aad settings in Epicor Erp - specify your directory and application ids

2 Likes

Hi, may I know is there any API license purchase if we would like to develop a mobile base apps to connect to our local Epicor server, and is there any limitations?

the Licensing details are covered in the documentation. As a short summary you can pass the license type you would like to use (like WebService) over a default license. A Default license is what a number user would use, hand held or CRM licenses are restricted to the services they are for. So if you are building a mobile app to talk to Epicor it depends what you need. Typically Web Service would be for an integration scenario. What are you building?

1 Like

Thank you for your response. I have setup the Azure Directory (Tenant) ID and Application IDs (Server and Client) within Epicor ERP and I can successfully login to my Epicor instance using my Azure AD credentials. It appears that the Epicor REST API does not use the Azure configuration unfortunately. I’ve tried to disable Windows Authentication for the Epicor web application in IIS hoping that it would fall back to Azure, but the application does not appear to direct requests to Azure for authenticating. I’ll be reviewing SwaggerUI and the Swashbuckle configuration to see if there is a method to configure Azure AD. If you have any thoughts or suggestions, I’d be glad to hear of them.

If the REST API does not offer support for Azure AD, I can potentially use the TokenResource service endpoint of the Epicor REST API to generate authorization tokens, or use a generic service account for all Epicor REST API requests. It wouldn’t be ideal, but may be feasible.

Swagger Ui only works with basic authentication.
It won’t work with token resource either.

You have to use postman or write your own code to authenticate with token. And your code can use azure ad library ADAL to redirect to AAD for authentication and get token

2 Likes

Hi Olga,

Thanks for confirming that custom code can use Azure AD “for authentication” to “get token.” I was able to sign-in to my custom web application with Azure AD and then request an access token on behalf of my Azure AD user for the Epicor REST API app registration. Once I obtained the appropriate access token with a correct audience value, I added the access token to the authorization header for my calls to the Epicor API. It was a great deal of work to get the correct token values, but the Epicor REST API now accepts and validates my access token successfully.

Thanks again!

2 Likes

Great!
do not forget that token is only valid for 1 hour and you have to handle its renewal

1 Like

@Olga whats the benefit of using a token versus just passing Basic Auth over and over again?

Basic authentication is obsolete. you send password with any call. You have to store it somewhere on client.
Token is modern way of authentication, for example, with AAD you can use MFA and then use token for 1 hour.

1 Like

Indeed people like Atlassian and Microsoft have and are obsoleting Basic Authentication to their services. I don’t think RFC 7617 is going anywhere. While sending the Base64 encoded string over a secured connection is fine in transit, the client has it stored and must “guard” it and make sure the memory is wiped before terminating. Basic Authentication means a username for every service which means users are most likely reusing passwords too. :frowning: With token authentication, if a token escapes, which is still a concern, it’s not good for long and users don’t have to remember them to refresh them. :wink: Finally, using something like Azure AD or Okta keeps all user users in one place so it’s easier to add and remove authentication from all company services.

2 Likes

I would be grateful if you would share more detail on the steps to get a token from Azure AD that the REST API will accept. I too have a back-end web server making calls to the REST service. I’m currently using basic authentication but we are moving all authentication over to AD. It would be nice if Epicor provided a guide if this is going to be the optimal authentication method for REST.

Token is obtained by client program and sent to REST API server as bearer authorization header.
What is your client type?
Your web application will get token from user login or it is sever-to-server authentication? Is it written on ASP.NET or ASP.NET Core or else?

There is a discussion in the REST Services Guide on EpicWeb (starting on page 82).

REST API Authentication Options - ERP 10 - Epicor User Help Forum (epiusers.help)

1 Like