Hi there,

A common example of system integration is to call the REST API of another service by sending an HTTP request from Questetra BPM Suite.

In such cases, an HTTP request is sent by using either of the following

on the Questetra side.

In many cases OAuth2 is used for authentication.
Although there are several types of OAuth2, if you use Authorization code as its grant-type Questetra can support it just by the configuration of some settings.

In this article I will describe how to set up OAuth2.

* Some Service Task definitions (Addon-XML) do not send HTTP requests, they are just for converting data. Also, in some cases methods other than OAuth are used for authentication.

* For other grant-types in OAuth2 there are cases where you can respond by using a Script Task. For cases where the grant-type is client_credentials or password, there are corresponding examples in the following article.
Related article: Calling the trendy “Mastodon” API and Twitter API from Cloud BPM
1: Overview of the procedure
2: Preparation on the side of partner service to be invoked
3: Settings on the invoking side (Questetra)
4: Settings in Questetra for invoking API
5: Summary

1: Overview of the procedure

The overview of the settings procedure is as follows.

  • Preparation on the side of partner service to be invoked
    Setting up using Questetra’s Callback URL, obtaining a Client ID and Secret
  • Settings on the invoking side (Questetra)
    Setting up using the endpoint URL of the partner service and Client ID and Secret that have been obtained, obtaining a token
  • Settings in Questetra for invoking API
    Setting up using the OAuth token that has been obtained

2: Preparation on the side of partner service to be invoked

On the side of the partner service to be invoked, the client’s registration in advance is required (sometimes referred to as App registration).

In this case, Questetra’s “callback URL” is required (sometimes referred to as the “redirect URI”).

  • In a paid environment
    -> https://s.questetra.net/oauth2callback
  • In a free environment (Starter Plan)
    -> https://f.questetra.net/oauth2callback

* In the case of a free environment that has been built quite a while ago, it might be https://fs.questetra.net/oauth2callback. You can confirm it on the OAuth setting screen which I’m going to mention later.

When you complete the registration, as the Client ID and Client Secret are displayed, make a note of them (they may be called Consumer Key or APP ID / Client Secret Code or Consumer Secret, etc.).

3: Settings on the invoking side (Questetra)

First, open the OAuth settings screen by one of the following ways. (The same screen will be displayed regardless.)

  • Select OAuth 2.0 Setting in the ▼ App drop-down menu on the App detail screen
  • In the Header tab on the properties screen of the Throwing Message Intermediate Event (HTTP) select OAuth2 in the Authorization Header field, and click the OAuth2 Setting button that appears

Click on the [Add] button to open the details settings screen. (You can confirm the Callback URL in this screen.)

Enter each item and click on [Save].

Item name Value
Config Name Can be any name you want. To be used for designation later.
Authorization Endpoint URL, Token Endpoint URL Enter by referring to the manuals of the partner service
Scope It depends on the partner service and the calling API. There are cases where it is not specified. Separate with a space in case of multiple names.
Client ID, Consumer Secret Enter the aforementioned notes you made when registering to the partner service.

Once you have saved the settings click on the “Get token” button and if you can successfully acquire the token then it has worked. If you are successful you will see the following display.
If you get an error here please check if there are any incomplete settings. If the settings are all correct there is a possibility of Questetra not being capable of supporting it, so please contact us. (Error details may not be displayed in the current specification.)

* There are a few past articles which describe setting methods of OAuth2 with particular partner services. Please refer to these.

Incidentally, the settings on the Google side are not only for Sheets, but are a consolidated console to deal with various APIs, so it is a little confusing. Please be aware of that.

In addition, Questetra itself is also capable of being the side where the API is invoked. Please refer to the following manual for details.
Related manual: M317: Controlling OAuth2 Authorization Access and Basic Authentication Access from External
In other words, you can invoke Questetra’s own API from Questetra using OAuth.

* Please note that the endpoint URL may be changed according to the version upgrade, etc. of the partner service.
At present (as of Ver. 11.8.2), the endpoint URL is automatically inserted for Google and Force.com by the pull-down menu at the top of Questetra’s OAuth detail settings screen. However, It seems that Google has changed to a new URL. (Even with the old URL it will work without problems. Also, it seems that the schedule for stopping the old URL is undecided at this moment.)

Related article: Google oAuth 2.0 new authorization and token endpoint (stack overflow)

4: Settings in Questetra for invoking API

The OAuth token obtained above is used by specifying the following.

  • Throwing Message Intermediate Event (HTTP)
    In the Header tab select the Authorizaton Header OAuth2.
  • Script Task
    You can use the following. (While checking the manual you should refer to the source code of the published Service Task definition (Add-on XML).)

    var token = httpClient.getOAuth2Token( XXX_OAuth Config Name_XXX )
  • Service Task definition (Add-on XML)
    Specify in OAuth2 Setting Name, etc. (The config item name is just an example as it depends on the specification of the Service Task definition (Add-on XML).)

* OAuth configuration is required for each Workflow App respectively.
Please note that even if you copy the workflow App you also need to configure it in the newly duplicated App. However, since the callback URL is the same you can also use the same Client ID and Secret. Please judge for yourself whether doing so is appropriate.

5: Summary

Do you now understand how to set up OAuth2?
Although there are some difficult parts, they are necessary to connect with various services. I hope you can learn it by any means.

If you have any questions, please feel free to contact us through the inquiry form.

%d bloggers like this: