It doesn’t work? What does it give you?
It works in Swagger tester but not the POSTMAN app, but I guess as long as I can use Swagger the postman app is unnecessary.
I’m looking at the help Epicor documentation. Is there a section about authentication to use these REST services?
For instance, on my webpage I’ll have a form and when I click a button I want to take the user inputted userID & Password, and then test it against this service. But how does my webpage have rights to run a lookup against this service since I had to log in to get to see it in the swagger tool?
Authentication goes in the header of the REQUEST. To see if the password was correct just make a call to the REST endpoint (any service) I like to use Company or UserFile or BAQ and see if you get a valid response.
If you get 401 that’s a bad uname / password if you get 200 then you are good.
The web-page doesn’t need any rights authentication happens based on that header you send in your GET/POST
Now if you are making the call from the client browser using JS then you’ll get into CORS issues… but I’m hoping that’s not the case.
The idea is that a user visits an internal webpage running on a different webserver on our network.
I have a simple workflow in mind:
They input their username and password. They click a button and it submits a PHP form.
On the page that they submit to (ie the action property of the html form), I want to take the user input and call this service to check if the username and password were legit. If they were then I want to redirect them to a secure page, otherwise return them to the login page.
I guess I don’t know what that check request script would look like.
I gave you two examplees in PHP above, just make that call and see what response you get.
$response //should be true or false or blank
The first one (with CURL) ran but didn’t echo anything out so I’m not sure if it worked or not.
I’m not sure what CURL is or how to use it so I will do some research on that, maybe take an online course about it.
The second one said it couldn’t find class HttpRequest. Is that a library or package available somewhere that you know of? I’m using PHP7 on Apache. Is there an extension I need to enable?
Also in both of your examples it has Postman-Token and Authorization. Don’t those values have to be specific to my script or server?
Thank you Dan I was able to get POSTMAN to test it out thanks to your screenshot.
Okay Jose, I’m getting closer: this is the response I get when using the CURL method:
cURL Error #:SSL certificate problem: unable to get local issuer certificate
I guess I’m unsure about what the Postman-Token should be or how I would generate that for each request.
Postman token is un-necessary you can erase it. The Auth Basic header is a Basic Authentication header you can read all about it here
But its just a base 64 encoded concatenation of the username and password separated by a colon.
The error you are getting is because your SSL cert is not trusted. You can pass in the ignore cert options to your CURL request
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST =>false
This is the code I got working with your help.
<?php
$auth = base64_encode("epicor:epicor");
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => "https://xxx-epicor10/E10Train/api/v1/Ice.BO.UserFileSvc/ValidatePassword",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST =>false,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\r\n \"userID\": \"epicor\",\r\n \"password\": \"epicor\"\r\n}",
CURLOPT_HTTPHEADER => array(
"Authorization: Basic " . $auth,
"Cache-Control: no-cache",
"Content-Type: application/json",
),
));
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
//show error or response
echo ($err) ? "cURL Error #:" . $err : $response;
?>
Is it bad practice to not have a trusted server certificate? All these webpages are internal to our company so is it okay that we don’t trust the certificates?
Yes, but internal is your own world so do as you wish.