Status: Open
Status: Answered
Status: Closed
Status: Duplicate

Authentication to REST APIs not served from OTAG

Posted Feb 18 by Ferdinand Prantl.
Updated Feb 18.

A JavaScript application running on AppWorks has an access to the otagtoken and can perform AJAX requests to REST APIS served from the same origin. How about communicating with other REST APIs and enjoying SSO coming from the initial login to AppWorks?

Let's say that I'd like to access the CS REST API. I can authenticate using OTCSTicket, OTDSTicket and MYSAPSSO2 headers, or by Basic Authentication. None of those authorization tokens are available in AppWorks, am I right?

  1. Is there an AppWorks-integration CS module with a login callback accepting the otagtoken? Like the OTDS integration module does for the OTDSTicket and MYSAPSSO2 token. If it is, I'd just send the otagtoken to authorize the requests.

  2. If the OTDS integration is turned on, is the OTDSTicket available from within the app? If it is, I'd just use to authorize the requests.

  3. If I configure OTAG as a reverse proxy to access my CS, can I deploy a custom filter to the proxy? I wonder how feasible it'd be to add a CS-specific authorization header (OTCSTicket) based on the otagtoken I'd send from the app. The requests would be authorized by OTAG on behalf of the user logged in to OTAG in the app.

Developing all APIs to be deployed on OTAG only is probably unrealistic. The OTAG proxy component is a good start to avoid CORS problems and to overcome firewalls. How about the SSO now?

4 Answers

BEST ANSWER: As chosen by the author.


From what I can gather then, you need to use the OTDS REST API to get a ticket from OTDS directly?


In my case, I used the POST /authentication/credentials to get an OTDS ticketand then re-use that through all my sunsequent requests!

Hope this helps


BEST ANSWER: As chosen by the author.

The otdsticket is available in your app. Note that it is an OTDS 10.5 SSO ticket, not compatible with CS10 (but compatible with CS10.5).

BEST ANSWER: As chosen by the author.

Thanks for your responses!

Jonathan, I'd like to avoid an explicit authentication call to OTDS, because I'd have to ask the user for their credentials. It'd defeat the purpose of having just single login - the AppWorks one.

John, this is great to learn about. Currently, the applications integrating the CS UI Widgets (the JavaScript component I was talking about) support also connecting to the CS 10.0 and to the CS without OTDS. However, it might be acceptable that the integration of the CS UI Widgets in AppWorks apps would mean limitation to the CS 10.5 only and only to the CS + OTDS. Such applications would be new and it's more likely that the customer would also use the newest CS version.

Sometimes it is difficult to develop a solution for the customer, when every product decides independently what minimum versions are supported. The compatibility matrix gets so complicated… I'd prefer some global strategy, like CS 10.0 is supported in general by all OT products on not. The CS REST API is supported on both CS 10.0 and 10.5 and that's why the CS UI Widgets integrations support both.

BEST ANSWER: As chosen by the author.

Is it documented somewhere how one gets the otdsticket from the AppWorks app? I searched through the posts on and was not able to find anything. Thanks.

 You have subscribed and will receive email notifications of updates to this topic. To unsubscribe, uncheck the checkbox.


Related categories

Related tags

Your answer

To leave an answer, please sign in.