Settings when Calling REST API of Another Service from Questetra (Questetra to be OAuth2 client)

Hi, there.

System collaboration that calls the REST API of another service by sending an HTTP request from Questetra is one of the common cases.

In such case, an HTTP request is sent by using either of

on the Questetra side.

And in many cases, OAuth2 is used for the authentication.
Although there are several types of OAuth2, if you use Authorization code as its grant-type, you can correspond by only settings on the Questetra side.

In this article, I will describe how to set up OAuth2.

* “Service task definition (Addon-XML)” is not for sending an HTTP request, there are also for converting data. Also, in some cases, methods other than OAuth is used for the authentication.
* In the case of other grant-type of OAuth2, you cannot correspond by only setting, but there are cases where you can respond by using Script Task. For cases where grant-type is client_credentials or password, there are examples of corresponding in the following article.
Related article: Calling the trendy “Mastodon” API and Twitter API from Cloud BPM
1: Overview of the procedure
2: Preparation on the side of partner service to be invoked
3: Settings on the side of invoking (Questetra)
4: Settings in Questetra for invoking API
5: Closing

1: Overview of the procedure

Overview of the setting procedure is as follows.

  • Preparation on the side of partner service to be invoked
    Setting up using Questetra’s Callback URL, obtaining a Client ID and Secret
  • Settings on the side of invoking (Questetra)
    Setting up using the endpoint URL of the partner service and Client ID and Secret that have obtained, obtaining a token
  • Settings in Questetra for invoking API
    Setting up using the OAuth token that has obtained

2: Preparation on the side of partner service to be invoked

On the side of the partner service to be invoked, in advance registration as the client is required. (Sometimes that is referred to as “App registration” etc.)

Upon that, Questetra’s “callback URL” is required. (Sometimes referred to as “redirect URI”)

  • In a paid environment
  • In a free environment (Starter Plan)
* In the case of a free environment that has been built quite a while ago, it might be You can confirm it on the OAuth setting screen which I’m going to mention later.

When you complete the registration, as “Client ID”/”Client Secret” (also they may be “Consumer Key” or “APP ID” etc., / “Client Secret Code” or “Consumer Secret” etc.) are displayed, so make a note of those.

3: Settings on the side of invoking (Questetra)

First, open the OAuth setting screen by one of the followings. (The same screen will be displayed regardless of either way.)

  • “OAuth 2.0 setting” in the “▼ App” drop-down menu on the App detail screen
  • “Set up OAuth 2.0 from here” button in “Security/Custom Header” tab on the property screen of “Throwing Message Intermediate Event (HTTP)”

Click on [add] button to open the details setting screen. (You can confirm the “Callback URL” in this screen.)

Enter to the items respectively and click on [Save].

Item name Value
Config Name (Any favorable setting name. To be used for designation later.)
Authorization Endpoint URL, Token Endpoint URL Enter by referring to the manuals of the partner service
Scope It depends on the partner service and API to invoke. There are cases where it is not specified. Separate with space in case of multiple names.
Client ID, Consumer Secret Enter the aforementioned notes you made when registering to partner service.

Once you have saved the settings, click on the “Get token” button and if you can successfully acquire the token, it is OK. If you can get it, you will see the following display.
If you get an error here, please check whether there is any incomplete setting. If there is no inadequacy even after checking the setting sufficiently, there is also the possibility of Questetra not being capable of in the first place, so please contact us. (Because error details may not be displayed in the current specification.)

* There are a few past articles which describe setting methods of OAuth2 with particular partner services. Please refer to.

Incidentally, the setting on the Google side is not only Sheets, but it is a consolidated console to deal with various APIs, so it is a little confusing. Please be noted that.

In addition, Questetra itself is also capable of being the side where the API is invoked. Please refer to the following manual for details.
Related manual: M317: Controlling OAuth2 Authorization Access and Basic Authentication Access from External
In other words, you can invoke Questetra’s own API from Questetra using OAuth.

* Please note that the endpoint URL may be changed according to the version upgrade etc. of the partner service.
At present (as of Ver. 11.8.2), the endpoint URL is automatically inserted for Google and by the pull-down at the top of Questetra’s OAuth detail setting screen. However, It seems that Google has changed to a new URL currently. (Even with old URL, it will work without problems. Also, it seems that the schedule of stoppage of the old URL is undecided at this moment.)

Related article: Google oAuth 2.0 new authorization and token endpoint (stack overflow)

4: Settings in Questetra for invoking API

The OAuth token obtained above is used by specifying as the followings respectively.

  • “Trowing Message Intermediate Event (HTTP)”
    Specify at “Connect with OAuth 2.0” on “Security/Cutom Header” tab.
  • “Script Task”
    You can use it as the following. (While checking the manual, you should be better to refer to the source code of the published Service Task definition (Add-on XML).)

    var token = httpClient.getOAuth2Token( XXX_OAuth Config Name_XXX )
  • “Service Task definition (Add-on XML)”
    Specify at “OAuth2 Setting Name” etc. (The config item name is just an example as it depends on the specification of the Service Task definition (Add-on XML).)
* OAuth setting is required for each Workflow App respectively.
Please note that even if you copy the workflow App, you need to configure it also in the newly duplicated App. However, since the callback URL is the same, you can also use the same Client ID and Secret. Please judge for yourself whether doing so is no problem.

5: Closing

I suppose now you understand how to set up OAuth2.
Although there are some difficult parts, those are necessary to connect with various services. I hope you to learn it by all means.

If you have any questions, please feel free to contact us through the inquiry form.

%d bloggers like this: