Where does Epicor store login information in SQL? What password hashing algorithm(s) do they use?
I want to run a custom report from an internal webpage but first check if the user is able to run the report by checking their credentials against the Epicor database.
I looks like it’s ERP.UserFile and the password field is nvarchar(90) but when I query the table all the passwords are blank except Manager’s password. That’s in there and hashed. But the others are all blank? Where does Epicor really store those?
Note that for AD authentication, there would be nothing there too. The passwords are salted and hashed. Your best bet to authenticate from a web app is to just log into the site using a REST call (if you’re on 10.1.600+).
As Mark said Passwords are salted and hashed you are not going to be able to authenticate against them yourself. Within Epicor there are BO calls to do this, however externally you cant
You could, if even not using single sign-on, use the fields to store the domain and user id in Epicor. Assuming your web page already authenticates the user you can then take that username and validate against the domain name and domain user id field to ensure they are listed in Epicor. You could go a step further and also use a quick group membership lookup. The table is ice.SysUserFile. This also would be only if you are not using generic users in AD to authenticate to the web page.
It takes the username and password as params. Note this is not ideal from a security approach - hard coded passwords in multiple areas is problematic. https is a must to protect passwords. Stay tuned for more news in this area as well.
Another thing you should investigate is the epicor token server. Get a token with your creds and use that token for authenticating. Standard web bearer token approach.
Definitely wouldn’t hardcode or store the password anywhere, it would just be input from a form on a page that I would test against the Epicor database.
Does anyone know what an example using Bart’s method could look like? I’m not sure how to talk to services but I think this is the kind of thing I need.
I just need to see if the password is valid then I’d let them continue with their report.
I’d be using PHP but if you know what this looks like in .ASP page I could probably translate it to my language.
I’m developing against Epicor 10.2.100.7 because we’re in the midst of testing and getting ready to go live later this summer. So do you know any examples I can peek at? I did some research and Stackoverflow doesn’t have much in the way of examples.
ERP 10 has a Token Service to request a jwt token for use as an authentication token. You can set the key and lifespan on the token service in Admin Console.
How to obtain and use one is documented in the REST help:
Simply as to the header of your server calls instead of username / password.
NOTE - Tokens WILL expire. You need to determine how you wish to handle that.
You can determine how long the token lives for (e.g. 24 hours) and set a client timer to obtain a new one at 23 hours.
Or you can prompt for user to log in again when it expires (Think Office 365 / WIndows Accounts - you go into website and are logged in already (their token is in browser cache or similar). If the token expires, the Windows Account login is popped.