question

Upvotes
Accepted
isanchez avatar image
16 2 3 5

RDP Authentication Flow with two applications

Hello,

I have the following scenario, I have two registered application in EDP API for production and QA environment. In sepparetly way when the proccess in production is active we do not have any problem with the login and refresh token, but when we active the QA environment proccess with the other app key the login is ok but in both environment at the moment that we want to refresh the token with the following headers

params.add(new BasicNameValuePair("client_id", 'myid'));

params.add(new BasicNameValuePair("username", 'myusername'));

params.add(new BasicNameValuePair("grant_type", "refresh_token"));

params.add(new BasicNameValuePair("refresh_token", refreshToken));

I got

Login Rejected. Authentication token not provided.


After that error, we try again refresh the token, after five attempts the login is called again without refresh the token to get a new one.

This is the complete code for authentication

params.add(new BasicNameValuePair("client_id", Singleton.getInstance().getRdpApplicationId()));

params.add(new BasicNameValuePair("username", Singleton.getInstance().getRDPUser()));

//login for first time

if(refreshToken == null) {

params.add(new BasicNameValuePair("password", Singleton.getInstance().getRDPPassword()));

params.add(new BasicNameValuePair("grant_type", "password"));

params.add(new BasicNameValuePair("takeExclusiveSignOnControl", "true"));

}else {

// refresh token every 5 minutes

params.add(new BasicNameValuePair("grant_type", "refresh_token"));

params.add(new BasicNameValuePair("refresh_token", refreshToken));

}

httppost.setEntity(new UrlEncodedFormEntity(params, "UTF-8"));


Im wondering if something is missing or the header takeExclusiveSignOnControl work like only mantain one login no matter what app key I use affecting the other login in a different environment. Or what is the correct way to handle this authentication flow with two environment at the same time.

**The processes run in separate environments


Thanks


rdp-apirefinitiv-data-platform
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

2 Answers

Upvote
Accepted
nick.zincone avatar image
9.7k 49 38 60

Hi @isanchez

The 'client_id', or App Key does not control permissions but rather identifies an application. It is the 'username' that controls permissions and it is this ID that the authentication system presently only allows 1 active session.

If you disable the 'takeExclusiveSignControl', i.e. false, you will not be able to authenticate any additional instances while you have one already running with the same 'username'. The only way around this is to use a different username.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

isanchez avatar image isanchez

Hello @nick.zincone.1

We ask to our account manager and He said to us the feature of this product is "Each ID supports up to 5 concurrent connections. Customers may want to split their subscriptions over more than 1 connection for perfomance, administrative or legacy reason"rdp.png

Therefore I want to clarify the params that I sent to the login

client_id -> APP KEY generated by environment (different in QA and producction)

username -> MachineID (Same in both environment)

password -> Password created for the machineID (Same in both environment)

Thanks.

rdp.png (120.1 KiB)
nick.zincone avatar image nick.zincone isanchez

@isanchez

It is true that an ID can support up to 5 concurrent connections into the streaming server, but only supports 1 active session into the RDP authentication system. If you run a single application, you first retrieve the authentication tokens. Once you have the access token, you can use this to form up to 5 connections into a streaming server using the same access token. That is what it is referring to when it states 5 concurrent connections. However, if you run the 2nd application, the authentication server detects your session count == 1 (max) and the 2nd application "steals" the session and as a result, the 1st application will fail to refresh its token.

The only real way around this is to request a second Machine ID.

Upvote
nick.zincone avatar image
9.7k 49 38 60

Hi @isanchez

Are you using the same 'username' for both applications? Also, is the same application running in both environments?

If you plan to run the applications simultaneously using the same username, I would suggest you reach out to your account manager and explain what you are trying to do, and request a 2nd username ID. Presently, the authentication system only allows 1 active session for a given username ID. If you attempt to run simultaneous applications and have enabled 'takeExclusiveSignonControl' to true, the 2nd application that starts will steal control of the session. That is, after the 2nd application takes exclusive control, once the 1st application attempts to refresh its access token, it will fail.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

isanchez avatar image isanchez

Hello @nick.zincone.1

The username is the same in both environments and the client_id is different we have an app key for QA and other for Production.

Yes, the connector is the same version in both environments only the configuration change for what app key need to use.

If I disable the header takeExclusiveSignonControl to false I will have the same result using differents APP KEY?

Thanks in advance

Click below to post an Idea Post Idea