WinHttp 5.1 oauth2 authentication

txerifftxeriff Posts: 279Member
Hi all,

does any1 know if there is any one this automation to authenticate with oauth2?
'Microsoft WinHTTP Services, version 5.1'.WinHttpRequest

Or some other similar.

It needs to be automation since it´s old NAV and needs to run on a NAS.
https://developer.paypal.com/docs/api/get-an-access-token-curl/

thanks!

Answers

  • ftorneroftornero Posts: 233Member
    Hello @txeriff ,

    Yes, you can use 'Microsoft WinHTTP Services, version 5.1'.WinHttpRequest to connect to PayPal with OAuth2.
    
    url := 'https://api.sandbox.paypal.com/v1/oauth2/token';
    
    IF ISCLEAR(WinHttp) THEN
      CREATE(WinHttp);
    
    WinHttp.Open('POST', url, FALSE);
    
    WinHttp.SetRequestHeader('Accept', 'application/json');
    WinHttp.SetRequestHeader('Accept-Language', 'en_US');
    WinHttp.SetRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    WinHttp.SetRequestHeader('Authorization', STRSUBSTNO('Basic %1', AUTHORIZATION));
    
    WinHttp.Send('grant_type=client_credentials');
    IF WinHttp.Status = 200 THEN
        MESSAGE(WinHttp.ResponseText);
    

    Where AUTHORIZATION is a Text constant with the Base64 value of your clientID and your secret, you can use the next Powershell scrpit to get the combined value:
    $clientID = 'Af3DnhKLg7IUF7wekancR0359QwQ4XLNt8xqjaxK7R9g1bSiXeH5aCKfdDuGYMvUME5AZHF0OnY68fbh'
    $secret = 'EJq_4cd48l4uPXQXC596oH82QI9IofNMM5IH3eBWkBPytpmQBM5Mw8qJWCSgkoYNzh2zxS2jBTJwszwR'
    $b64 = [System.Convert]::ToBase64String([system.text.encoding]::UTF8.GetBytes($clientID+':'+$secret))
    $b64
    

    And later on parse the response to get the access_code for the next request.

    Regards.
  • txerifftxeriff Posts: 279Member
    > @ftornero said:
    > Hello @txeriff ,
    >
    > Yes, you can use 'Microsoft WinHTTP Services, version 5.1'.WinHttpRequest to connect to PayPal with OAuth2.
    > url := 'https://api.sandbox.paypal.com/v1/oauth2/token'; IF ISCLEAR(WinHttp) THEN CREATE(WinHttp); WinHttp.Open('POST', url, FALSE); WinHttp.SetRequestHeader('Accept', 'application/json'); WinHttp.SetRequestHeader('Accept-Language', 'en_US'); WinHttp.SetRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); WinHttp.SetRequestHeader('Authorization', STRSUBSTNO('Basic %1', AUTHORIZATION)); WinHttp.Send('grant_type=client_credentials'); IF WinHttp.Status = 200 THEN MESSAGE(WinHttp.ResponseText);
    >
    >
    > Where AUTHORIZATION is a Text constant with the Base64 value of your clientID and your secret, you can use the next Powershell scrpit to get the combined value:
    > $clientID = 'Af3DnhKLg7IUF7wekancR0359QwQ4XLNt8xqjaxK7R9g1bSiXeH5aCKfdDuGYMvUME5AZHF0OnY68fbh' $secret = 'EJq_4cd48l4uPXQXC596oH82QI9IofNMM5IH3eBWkBPytpmQBM5Mw8qJWCSgkoYNzh2zxS2jBTJwszwR' $b64 = [System.Convert]::ToBase64String([system.text.encoding]::UTF8.GetBytes($clientID+':'+$secret)) $b64
    >
    >
    > And later on parse the response to get the access_code for the next request.
    >
    > Regards.

    You saved me a lots of headache. Thanks.

    I developed a tricky code with output and file reading for the token. (Create, make sure file not open, loop... delete read...)
    This will make smooth

    Thanks again.
  • txerifftxeriff Posts: 279Member
    ftornero wrote: »
    Hello @txeriff ,

    Yes, you can use 'Microsoft WinHTTP Services, version 5.1'.WinHttpRequest to connect to PayPal with OAuth2.
    
    url := 'https://api.sandbox.paypal.com/v1/oauth2/token';
    
    IF ISCLEAR(WinHttp) THEN
      CREATE(WinHttp);
    
    WinHttp.Open('POST', url, FALSE);
    
    WinHttp.SetRequestHeader('Accept', 'application/json');
    WinHttp.SetRequestHeader('Accept-Language', 'en_US');
    WinHttp.SetRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    WinHttp.SetRequestHeader('Authorization', STRSUBSTNO('Basic %1', AUTHORIZATION));
    
    WinHttp.Send('grant_type=client_credentials');
    IF WinHttp.Status = 200 THEN
        MESSAGE(WinHttp.ResponseText);
    

    Where AUTHORIZATION is a Text constant with the Base64 value of your clientID and your secret, you can use the next Powershell scrpit to get the combined value:
    $clientID = 'Af3DnhKLg7IUF7wekancR0359QwQ4XLNt8xqjaxK7R9g1bSiXeH5aCKfdDuGYMvUME5AZHF0OnY68fbh'
    $secret = 'EJq_4cd48l4uPXQXC596oH82QI9IofNMM5IH3eBWkBPytpmQBM5Mw8qJWCSgkoYNzh2zxS2jBTJwszwR'
    $b64 = [System.Convert]::ToBase64String([system.text.encoding]::UTF8.GetBytes($clientID+':'+$secret))
    $b64
    

    And later on parse the response to get the access_code for the next request.

    Regards.


    Hi again,

    I hope you can help me fixing this.

    When I run codeunit manually, it works.
    from NAS, it tells me the following, event viewer:

    This message is for C/AL programmers:

    The call to member Send failed. WinHttp.WinHttpRequest returned the following message:
    A certificate is required to complete client authentication
  • ftorneroftornero Posts: 233Member
    Hello @txeriff,

    This happens in the same machine or are different ones ??

    Regards
  • txerifftxeriff Posts: 279Member
    edited 2019-05-27
    [quote="f

    tornero;c-327467"]Hello @txeriff,

    This happens in the same machine or are different ones ??

    Regards[/quote]

    It happens in the same machine. I run it. all fine. I set NAS, this happens.

    Iñve been trying and reading,may be that NAS runs in kind of different cointainer?

    https://microsoft.public.winhttp.narkive.com/dMdsYpqA/sending-post-over-https-using-a-client-certificate-with-winhttprequest-5-1

    I tried to install certificate file and i guess it succeded, also i make setclientcertificate ( I also have it from paypal but, as far as I understand is unnecessary and it works if I run CU) but anyway i get same error.


    edit
    https://docs.microsoft.com/en-us/windows/desktop/winhttp/winhttpcertcfg-exe--a-certificate-configuration-tool
  • ftorneroftornero Posts: 233Member
    Hello @txeriff,

    I was doing some more test and in one of my machines get the certificate error in both cases, running the CU and of course with the NAS.

    Using any certificate works for me, even a selfsigned one.
    
    url := 'https://api.sandbox.paypal.com/v1/oauth2/token';
    
    IF ISCLEAR(WinHttp) THEN
      CREATE(WinHttp, TRUE, TRUE);
    
    WinHttp.Open('POST', url, FALSE);
    
    WinHttp.SetRequestHeader('Accept', 'application/json');
    WinHttp.SetRequestHeader('Accept-Language', 'en_US');
    WinHttp.SetRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    WinHttp.SetRequestHeader('Authorization', STRSUBSTNO('Basic %1', AUTHORIZATION));
    // Adding the certificate
    WinHttp.SetClientCertificate('FTG2');
    
    WinHttp.Send('grant_type=client_credentials');
    IF WinHttp.Status = 200 THEN BEGIN
      IF GUIALLOWED THEN
        MESSAGE(WinHttp.ResponseText)
      ELSE BEGIN
        IF Tabla.FINDLAST THEN
          i := Tabla.NMov
        ELSE
          i := 0;
    
        Tabla.NMov  := i + 1;
        Tabla.Valor := COPYSTR(WinHttp.ResponseText, 1, MAXSTRLEN(Tabla.Valor));
        Tabla.INSERT;
      END;
    END;
    

    Regards.
  • txerifftxeriff Posts: 279Member
    Sorry. Seems like it´s related to NAS running account. I tried to log with nas account and tells me that error on screen. So this must be the permission they at IT left for that nas user. If I do run navision with my user works fine
  • txerifftxeriff Posts: 279Member
    edited 2019-05-27
    Sorry, so you get error in both machines. what is FTG2? is a new certificate or what is it? I don´t know how to selft sign a certificate to be honest. I have paypal certificate file I tried to point to it but still same error.

    PD: Hablas español?
  • ftorneroftornero Posts: 233Member
    Hola @txeriff,

    FTG2 is the name of the certificate.

    How do you pointed to the PayPal certificate ?

    Si, hablo español.

    Regards.
  • txerifftxeriff Posts: 279Member
    ftornero wrote: »
    Hola @txeriff,

    FTG2 is the name of the certificate.

    How do you pointed to the PayPal certificate ?

    Si, hablo español.

    Regards.


    Hola ftornero,

    Veras, lo ultimo que ha medio funcionado ha sido usando la cuenta del nas, en internet explorer, ir a settings>certificados> y ahi añadir el que tengo de paypal en todas partes. Despues hice un run y me funciono. Aun asi con el nas, me sigue sin funcionar.

    Tu dices que te creaste cualquier certificado y te funciono? Donde almacenaste el ceertificado? en sitios de confiaza? personal?

    muchas gracias. Esto esta siendo un quebradero de cabeza horrible.
  • ftorneroftornero Posts: 233Member
    Hola @txeriff ,

    The certificate must be in the user Personal folder

    f36gx722lkc2.png

    In this case the NAS user must to have installed the certificate in his Personal folder.

    Regards.
  • txerifftxeriff Posts: 279Member
    edited 2019-05-27
    One last question:

    It is still not working. I used my paypal certificate (even it is useless as any cert works as you said) . I entered "friendly name" SANDCERT.Then I do like you did before,

    WinHttp.SetClientCertificate('SANDCERT').

    Cerificate seems like to be into LOCAL COMPUTER PERSONAL CERTIFICATES and also in personal certificates now, I just imported, logged as nas user account

    any ideas?

    thanks!
  • ftorneroftornero Posts: 233Member
    Hello @txeriff ,

    SANDCERT is the name like the image ?

    xoirvdqstq2u.png

    And with the NAS user can you see the certificate ?


    Regards.
  • txerifftxeriff Posts: 279Member
    edited 2019-05-27
    Yes I can. I also tried using that name (which is much longer as is generated from paypal)

    Would you tell me how quickly I can create that self certificate?

    thanks again

    Edit: I think i managed to self create one, I will try tomorrow.
  • ftorneroftornero Posts: 233Member
    Hello @txeriff,

    In this link you can get a selfcerticate in PFX format with the name of PayPal2, like the image that I just created.

    https://www.dropbox.com/s/ff1lyptz2f2p7vr/PayPal2.pfx?dl=1

    8tzzcitl5s7f.png


    Regards.
  • txerifftxeriff Posts: 279Member
    edited 2019-05-28
    Hi ftornero.

    Thanks again for your help. I was missing your certificate password.

    Anyway, i tried to make my own. Surprisingly "noafter" parameter does not work on windows server 2012!
    PE:
    New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Signature" `
    -KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter $([datetime]::now.AddYears(5))


    I tried to create it on my computer, export and import into the server. It said certificate was not valid.

    At the end, it worked the following I created yesterday:

    New-SelfSignedCertificate -DnsName <Computer name> -CertStoreLocation "cert:\LocalMachine\My"

    It´s 2 years cert but.. i think i won´t try to change anything now.

    and then I point to it:

    WinHttp.SetClientCertificate('LOCAL_MACHINE\MY\localhost');

  • ftorneroftornero Posts: 233Member
    Sorry @txeriff,

    The password is [email protected]
  • txerifftxeriff Posts: 279Member
    edited 2019-05-28
    Hi again ftornero,

    Seems like your cert does not work for me. It works the following:
    tvcsos53691f.png

    Now I´m not sure if I created or it was already there cos the other ones I tried to create don´t say IIS Express on friendly name. This sounds more like visual studio project created it.

    Edit:

    maybe this could be useful

    https://stackoverflow.com/questions/19338395/how-do-you-use-winhttp-to-do-ssl-with-a-self-signed-cert

    SECURITY_FLAG_IGNORE_UNKNOWN_CA |
    SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE |
    SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
    SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;

    There is a property in the automation called option. Perhaps this could skip the headache. I can´t test know but I will.


    https://docs.microsoft.com/en-us/windows/desktop/winhttp/option-flags

    SECURITY_FLAG_IGNORE_CERT_CN_INVALID
  • txerifftxeriff Posts: 279Member
    edited 2019-05-28
    Now I think it does not work at all. I removed that certifiate and added again (by export) now it does not find any of it.
    I also tried
    winHTTP.Option(4,'0x3300');

    https://www.autoitscript.com/forum/topic/196243-winhttpwinhttprequest51-certificate-error/
    Oh god...
    Any ideas?

    The call to member Send failed. WinHttp.WinHttpRequest returned the following message:
    The client certificate credentials were not recognized.
  • txerifftxeriff Posts: 279Member
    OK, I guess I found the only way to make it work, at least for me:

    cd C:\Program Files (x86)\IIS Express
    IisExpressAdminCmd.exe setupsslUrl -url:https://localhost:8080/ -UseSelfSigned

    then, use "localhost" called certificate.

    Only by IIS Express seems to be working.
    Winhttpcfg.exe neither works.
  • krikikriki Posts: 8,768Member, Moderator
    [Topic moved from 'NAV/Navision Classic Client' forum to 'NAV Three Tier' forum]

    Regards,Alain Krikilion
    Use the SEARCH,Luke! || No PM,please use the forum. || May the <SOLVED>-attribute be in your title!
    NAV TechDays 2019: 21 & 22 November 2019, Antwerp (Belgium)
Sign In or Register to comment.