Precisely Enterworks

We're leveraging the Enterworks API for the first time and ran into a security concern. As per the Swagger, the username and password are passed as query parameters to obtain a token.
e.g. /enable-api/login?login=Username&password=Password

Normally with OAuth, the token endpoint is called with the username and password in the body, which is much more secure. Is this an option?

Similarly, once the token is obtained, the Swagger indicates the Bearer token is passed in the URL and not in the Auth section.
e.g. /webcm/rest/api/items?repositoryId=123&Authorization= BearerABCDEFGHIJK

Is the option to pass the username, password and token in the body/auth section possible?

------------------------------
Sidd Shenoy | Sr Dir Enterprise Master Data
Thomson Reuters Corporation | (646) 540-2371
------------------------------

Sidd,

According to Product Engineering, the user name and password have been moved to the headers in 10.2.1 and 10.3, which presumably means the password is no longer exposed.  Are you using a version prior to 10.2.1?

-Brian

------------------------------
Brian Zupke | Senior Technical Support Engineer
Winshuttle North America | 9099009179
------------------------------

Original Message:
Sent: 04-14-2021 14:14
From: Sidd Shenoy
Subject: REST API

We're leveraging the Enterworks API for the first time and ran into a security concern. As per the Swagger, the username and password are passed as query parameters to obtain a token.
e.g. /enable-api/login?login=Username&password=Password

Normally with OAuth, the token endpoint is called with the username and password in the body, which is much more secure. Is this an option?

Similarly, once the token is obtained, the Swagger indicates the Bearer token is passed in the URL and not in the Auth section.
e.g. /webcm/rest/api/items?repositoryId=123&Authorization= BearerABCDEFGHIJK

Is the option to pass the username, password and token in the body/auth section possible?

------------------------------
Sidd Shenoy | Sr Dir Enterprise Master Data
Thomson Reuters Corporation | (646) 540-2371
------------------------------

Thanks Brian. We have access to 10.1 and 10.3 and see the same behavior in both. Does the team have an updated set of postman examples that we can refer to that goes along with the change made in 10.3?

------------------------------
Sidd Shenoy | Sr Dir Enterprise Master Data
Thomson Reuters Corporation | (646) 540-2371
------------------------------

Original Message:
Sent: 04-16-2021 02:16
From: Brian Zupke
Subject: REST API

Sidd,

According to Product Engineering, the user name and password have been moved to the headers in 10.2.1 and 10.3, which presumably means the password is no longer exposed.  Are you using a version prior to 10.2.1?

-Brian

------------------------------
Brian Zupke | Senior Technical Support Engineer
Winshuttle North America | 9099009179

Original Message:
Sent: 04-14-2021 14:14
From: Sidd Shenoy
Subject: REST API

We're leveraging the Enterworks API for the first time and ran into a security concern. As per the Swagger, the username and password are passed as query parameters to obtain a token.
e.g. /enable-api/login?login=Username&password=Password

Normally with OAuth, the token endpoint is called with the username and password in the body, which is much more secure. Is this an option?

Similarly, once the token is obtained, the Swagger indicates the Bearer token is passed in the URL and not in the Auth section.
e.g. /webcm/rest/api/items?repositoryId=123&Authorization= BearerABCDEFGHIJK

Is the option to pass the username, password and token in the body/auth section possible?

------------------------------
Sidd Shenoy | Sr Dir Enterprise Master Data
Thomson Reuters Corporation | (646) 540-2371
------------------------------

And is there an option to send the credentials as 'Grant Type' = 'Client Credentials' instead of 'Password'?

------------------------------
Sidd Shenoy | Sr Dir Enterprise Master Data
Thomson Reuters Corporation | (646) 540-2371
------------------------------

Original Message:
Sent: 04-16-2021 02:16
From: Brian Zupke
Subject: REST API

Sidd,

According to Product Engineering, the user name and password have been moved to the headers in 10.2.1 and 10.3, which presumably means the password is no longer exposed.  Are you using a version prior to 10.2.1?

-Brian

------------------------------
Brian Zupke | Senior Technical Support Engineer
Winshuttle North America | 9099009179

Original Message:
Sent: 04-14-2021 14:14
From: Sidd Shenoy
Subject: REST API

We're leveraging the Enterworks API for the first time and ran into a security concern. As per the Swagger, the username and password are passed as query parameters to obtain a token.
e.g. /enable-api/login?login=Username&password=Password

Normally with OAuth, the token endpoint is called with the username and password in the body, which is much more secure. Is this an option?

Similarly, once the token is obtained, the Swagger indicates the Bearer token is passed in the URL and not in the Auth section.
e.g. /webcm/rest/api/items?repositoryId=123&Authorization= BearerABCDEFGHIJK

Is the option to pass the username, password and token in the body/auth section possible?

------------------------------
Sidd Shenoy | Sr Dir Enterprise Master Data
Thomson Reuters Corporation | (646) 540-2371
------------------------------

Sidd,

There currently is not such an option.  If you feel this is greatly desired, I recommend you submit a Zendesk ticket requesting it and an Improvement Request Jira ticket can be submitted to Product Engineering.  It may help for you to provide some example use cases and the rationale for supporting an alternative method for connecting.

-Brian

------------------------------
Brian Zupke | Senior Technical Support Engineer
Winshuttle North America |
------------------------------

Original Message:
Sent: 04-23-2021 19:30
From: Sidd Shenoy
Subject: REST API

And is there an option to send the credentials as 'Grant Type' = 'Client Credentials' instead of 'Password'?

------------------------------
Sidd Shenoy | Sr Dir Enterprise Master Data
Thomson Reuters Corporation | (646) 540-2371

Original Message:
Sent: 04-16-2021 02:16
From: Brian Zupke
Subject: REST API

Sidd,

According to Product Engineering, the user name and password have been moved to the headers in 10.2.1 and 10.3, which presumably means the password is no longer exposed.  Are you using a version prior to 10.2.1?

-Brian

------------------------------
Brian Zupke | Senior Technical Support Engineer
Winshuttle North America | 9099009179

Original Message:
Sent: 04-14-2021 14:14
From: Sidd Shenoy
Subject: REST API

We're leveraging the Enterworks API for the first time and ran into a security concern. As per the Swagger, the username and password are passed as query parameters to obtain a token.
e.g. /enable-api/login?login=Username&password=Password

Normally with OAuth, the token endpoint is called with the username and password in the body, which is much more secure. Is this an option?

Similarly, once the token is obtained, the Swagger indicates the Bearer token is passed in the URL and not in the Auth section.
e.g. /webcm/rest/api/items?repositoryId=123&Authorization= BearerABCDEFGHIJK

Is the option to pass the username, password and token in the body/auth section possible?

------------------------------
Sidd Shenoy | Sr Dir Enterprise Master Data
Thomson Reuters Corporation | (646) 540-2371
------------------------------