BizTalk 2016: How to use HTTP Send adapter with API token

Question

I need to make calls to a rest API service via BizTalk Send adapter. The API simply uses a token in the header for authentication/authorization. I have tested this in a C# console app using httpclient and it works fine:

string apiUrl = "https://api.site.com/endpoint/<method>?";
        string dateFormat = "dateFormat = 2017-05-01T00:00:00";

        using (var client = new HttpClient())
        {

            client.DefaultRequestHeaders.Add("token", "<token>");
            client.DefaultRequestHeaders.Add("Accept", "application/json");

            string finalurl = apiUrl + dateFormat;
            HttpResponseMessage resp = await client.GetAsync(finalurl);
            if (resp.IsSuccessStatusCode)
            {
                string result = await resp.Content.ReadAsStringAsync();
                var rootresult = JsonConvert.DeserializeObject<jobList>(result);
                return rootresult;

            }
            else
            {
                return null;
            }
        }

however I want to use BizTalk to make the call and handle the response.

I have tried using the wcf-http adapter, selecting 'Transport' for security (it is an https site so security is required(?)) with no credential type specified and placed the header with the token in the 'messages' tab of the adapter configuration. This fails though with the exception: System.IO.IOException: Authentication failed because the remote party has closed the transport stream.

I have tried googling for this specific scenario and cannot find a solution. I did find this article with suggestions for OAUth handling but I'm surprised that even with BizTalk 2016 I still have to create a custom assembly for something so simple.

Does anyone know how this might be done in the wcf-http send adapter?

Answer 1

Yes, you have to write a custom Endpoint Behaviour and add it to the send port. In fact with the WCF-WebHttp adapter even Basic Auth doesn't work so I'm currently writing an Endpoint Behaviour to address this.

One of the issues with OAuth, is that there isn't one standard that everyone follows, so far I've had to write 2 different OAuth behaviours as they have implemented things differently. One using a secret and time stamp hashed to has to get a token, and the other using Basic Auth to get a token. Also one of them you could get multiple tokens using the same creds, whereas the other would expire the old token straight away.

Another thing I've had to write a custom behaviour for is which version of TLS the end points expects as by default BizTalk 2013 R2 tries TLS 1.0, and then will fail if the web site does not allow it.

You can feedback to Microsoft that you wish to have this feature by voting on Add support for OAuth 2.0 / OpenID Connect authentication

Maybe someone will open source their solution. See Announcement: BizTalk Server embrace open source!

Answer 2

Figured it out. I should have used the 'Certificate' for client credential type.

I just had to:

1. Add token in the Outbound HTTP Headers box in the Messages tab and select 'Transport' security and 'Certificate' for Transport client credential type.
2. Downloaded the certificate from the API's website via the browser (manually) and installed it on the local servers certificate store.
3. I then selected that certificate and thumbprint in the corresponding fields in the adapter via the 'browse' buttons (had to scroll through the available certificates and select the API/website certificate I was trying to connect to).

I discovered this on accident when I had Fiddler running and set the adapter proxy setting to the local Fiddler address (http://localhost:8888). I realized that since Fiddler negotiates the TLS connection/certificate (I enabled tls1.2 in fiddler) to the remote server, messages were able to get through but not directly between the adapter and the remote API server (when Fiddler WASN'T running).