Integration via API and user permissions
Looking at the API documentation, I don't see that there is any way that a system could be authenticated to Jama under a service account and execute requests as if made with the permissions of a particular user. That's not a common feature for any API to provide, so I would have actually been surprised if I had found it.
The next idea that comes to my mind is one that seems like it would be awkward for customers to use. Each user would enter their Jama credentials into their user profile in our system. For several reasons, they should not enter their Jama password to our system though and should enter a token instead. That means every user would first have to create an API token in Jama.
My next thought is that to wonder if something cleaner could be done by having users sign into both apps using the same account through a common SSO authentication provider. It doesn't look that is an option though. Jama's REST API supports OAuth2, but its Web UI does not.
Has anyone else dealt with this same kind of requirement, and how have you addressed it?
------------------------------
Steve Jorgensen
Cliosoft
OR
------------------------------
Comments
-
What would be great to see in this regard is the ability to use a request header to impersonate a particular user. The request would then be processed in the context of the intersection of the API user's permissions and those of the impersonated user.
Of course, it would be better still if the user could be signed into Jama's Web UI via OIDC (OAuth2) to provide a way for both systems to be sure they are using the same identifications for the same users.
------------------------------
Steve Jorgensen
Cliosoft
OR
------------------------------
-------------------------------------------
Original Message:
Sent: 02-07-2023 17:31
From: Steve Jorgensen
Subject: Integration via API and user permissions
I am working out a strategy for integrating our product (Web application) with Jama. It is likely that we will want to support accessing Jama data on behalf of any user who has access to both our system and Jama and enforce the same permission constraints that would apply to the user working directly in Jama. I'm not sure what the best strategy would be for that.
Looking at the API documentation, I don't see that there is any way that a system could be authenticated to Jama under a service account and execute requests as if made with the permissions of a particular user. That's not a common feature for any API to provide, so I would have actually been surprised if I had found it.
The next idea that comes to my mind is one that seems like it would be awkward for customers to use. Each user would enter their Jama credentials into their user profile in our system. For several reasons, they should not enter their Jama password to our system though and should enter a token instead. That means every user would first have to create an API token in Jama.
My next thought is that to wonder if something cleaner could be done by having users sign into both apps using the same account through a common SSO authentication provider. It doesn't look that is an option though. Jama's REST API supports OAuth2, but its Web UI does not.
Has anyone else dealt with this same kind of requirement, and how have you addressed it?
------------------------------
Steve Jorgensen
Cliosoft
OR
------------------------------
0 -
Thanks to a friend of mine, I just learned of an article (Delegation Patterns for OAuth 2.0 using Token Exchange) pointing to a relevant RFC (RFC 8693).
------------------------------
Steve Jorgensen
Cliosoft
OR
------------------------------
-------------------------------------------
Original Message:
Sent: 02-14-2023 11:55
From: Steve Jorgensen
Subject: Integration via API and user permissionsWhat would be great to see in this regard is the ability to use a request header to impersonate a particular user. The request would then be processed in the context of the intersection of the API user's permissions and those of the impersonated user.
Of course, it would be better still if the user could be signed into Jama's Web UI via OIDC (OAuth2) to provide a way for both systems to be sure they are using the same identifications for the same users.
------------------------------
Steve Jorgensen
Cliosoft
OR
------------------------------
Original Message:
Sent: 02-07-2023 17:31
From: Steve Jorgensen
Subject: Integration via API and user permissions
I am working out a strategy for integrating our product (Web application) with Jama. It is likely that we will want to support accessing Jama data on behalf of any user who has access to both our system and Jama and enforce the same permission constraints that would apply to the user working directly in Jama. I'm not sure what the best strategy would be for that.
Looking at the API documentation, I don't see that there is any way that a system could be authenticated to Jama under a service account and execute requests as if made with the permissions of a particular user. That's not a common feature for any API to provide, so I would have actually been surprised if I had found it.
The next idea that comes to my mind is one that seems like it would be awkward for customers to use. Each user would enter their Jama credentials into their user profile in our system. For several reasons, they should not enter their Jama password to our system though and should enter a token instead. That means every user would first have to create an API token in Jama.
My next thought is that to wonder if something cleaner could be done by having users sign into both apps using the same account through a common SSO authentication provider. It doesn't look that is an option though. Jama's REST API supports OAuth2, but its Web UI does not.
Has anyone else dealt with this same kind of requirement, and how have you addressed it?
------------------------------
Steve Jorgensen
Cliosoft
OR
------------------------------0