Solved: Question about accessToken for CI-using WebEx site

nick.mueller · ‎03-15-2018

Hello,

I am looking for some documentation as to how to retrieve an accessToken for a Common Identity site as described in the AuthenticateUser section of the XML API reference: https://developer.cisco.com/site/webex-developer/develop-test/xml-api/xml-api-reference/

Separately, but related, I am curious as to whether a "Partner Administrator," who is not a member of a Customer's Spark Org, can use the XML API with WebEx sites that use CI and are attached to a Customer's Spark Org.

Thanks

NPM

nmorrow · ‎03-15-2018

CI site authentication is detailed below. Partner Delegated Authentication (a global application specificl SSO configuration for multiple WebEx sites) will also work with CI sites. I am not aware of any backdoor admin access for CI sites.

Meeting Service API authentication for Cisco Spark with WebEx.

Log in to developer.ciscospark.com.

Click My Apps

Create a new app with spark:all scope selected (Existing app is ok)

- Set Redirect URL to valid URL that you control, this will be used to provide authorization code via GET variable
- Save generated Client ID and Client Secret

Issue HTTP GET request to https://api.ciscospark.com/v1/authorize

- response_type=code
- client_id=<your Client ID>
- redirect_uri = <your redirect URL from registered application, it must match>
- scope=spark:all
- state=<custom state value of your choosing for identification or tracking, optional>

Spark page will prompt user to authorize application, if approved, user will be redirected to redirect uri with a code and the previously set state value as GET variables, save the code

Issue HTTP POST request to https://api.ciscospark.com/v1/access_token

- grant_type=authorization_code
- client_id=<your Client ID>
- client_secret=<your Client Secret>
- code=<the previously returned code>
- redirect_uri=<your redirect URL from registered application, it must match>

JSON data will be returned in the response body, save the access_token value.

Issue XML API AuthenticateUser request

- securityContext should contain webExID and siteName
- webExID should match the email address for the spark user (webExID is not actually used for authenticateUser and is ignored but schema requires a value, any non-null value will work, email address for authenticated user is a best practice)
- siteName is the subdomain of the WebEx site
- bodyContent will include one child element named accessToken, which should be set to the previously returned access_token

returned sessionTicket will be used in the security context for subsequent XML API requests.

View solution in original post

nmorrow · ‎03-15-2018

CI site authentication is detailed below. Partner Delegated Authentication (a global application specificl SSO configuration for multiple WebEx sites) will also work with CI sites. I am not aware of any backdoor admin access for CI sites.

Meeting Service API authentication for Cisco Spark with WebEx.

Log in to developer.ciscospark.com.

Click My Apps

Create a new app with spark:all scope selected (Existing app is ok)

- Set Redirect URL to valid URL that you control, this will be used to provide authorization code via GET variable
- Save generated Client ID and Client Secret

Issue HTTP GET request to https://api.ciscospark.com/v1/authorize

- response_type=code
- client_id=<your Client ID>
- redirect_uri = <your redirect URL from registered application, it must match>
- scope=spark:all
- state=<custom state value of your choosing for identification or tracking, optional>

Spark page will prompt user to authorize application, if approved, user will be redirected to redirect uri with a code and the previously set state value as GET variables, save the code

Issue HTTP POST request to https://api.ciscospark.com/v1/access_token

- grant_type=authorization_code
- client_id=<your Client ID>
- client_secret=<your Client Secret>
- code=<the previously returned code>
- redirect_uri=<your redirect URL from registered application, it must match>

JSON data will be returned in the response body, save the access_token value.

Issue XML API AuthenticateUser request

- securityContext should contain webExID and siteName
- webExID should match the email address for the spark user (webExID is not actually used for authenticateUser and is ignored but schema requires a value, any non-null value will work, email address for authenticated user is a best practice)
- siteName is the subdomain of the WebEx site
- bodyContent will include one child element named accessToken, which should be set to the previously returned access_token

returned sessionTicket will be used in the security context for subsequent XML API requests.

nick.mueller · ‎03-15-2018

Thank you.

WHere can I find documentation on the setup of partner delegated Authentication for CI WebEx sites?

npm

nmorrow · ‎03-15-2018

Hello,

PDA is not specific to CI sites, it can be used on both CI and traditional WebEx sites, whether SSO is configured or not. I am not able to easily paste our reference material here, as format is altered and links stripped, however you may email webex-meetings-api-dev@cisco.com to request the guide in Doc format. The basic config is just a matter of submitting a provisioning request to create the new SSO config, including the SSL certificate, IdP ID, SP ID, NameID Format, AuthContextClassRef, a unique name to identify the configuration, and a list of WebEx sites to link to this SSO configuration. This is mostly the same as our standard site SSO, but in a global sense so must be managed by provisioning instead of in Site Admin or Spark Control Hub. The end result is an application specific SSO config for authenticating API requests.

nick.mueller · ‎03-20-2018

One more question Nathan/Cisco: are the methods described above also valid for NBR API?

nmorrow · ‎03-20-2018

Hello,

NBR API is strictly limited to site admin username and password at this time. This will not work with SSO or CI authentication method until this behavior is addressed. CI sites that have not yet configured SSO can use NBR API in the meantime, with their login email address and password.