b2ihealthcare/snow-owl

Add the capability to provide an authentication token as a query parameter (MS PowerQuery compatibility)

colin-e-nhsd opened this issue · 2 comments

colin-e-nhsd commented

Background
I have been experimenting with using Microsoft Powerquery in Excel as a client via the RESTful interface to extract and report on SnowOwl data.

I started off using Basic Auth which worked as expected, however when I switched to trying to use an access token instead, I hit a problem. It took quite a bit of web searching to identify the problem.

It appears-

  • SnowOwl currently only supports access tokens via an "Authorization" HTTP header.
  • Excel/Powerquery's built-in keystore solution will only deliver a token via a query parameter

Thus the two can't talk.

Preferred Solution
While this problem is basically caused by a limitation of Powerquery, the likelihood of persuading Microsoft to change their capabilities in a hurry seem low. Therefore it would be beneficial if SnowOwl could have the capability to accept auth tokens in the query string OR in an http header.

Workaround
It is possible to insert the token header directly into the query generated by Powerquery using M language code. I have tested this and it works. However this is not ideal solution as it means the access token is visible in the M source code, rather than being stored in the Excel/PQ keystore.

Other info
If the feature is added in a future version of SnowOwl I can offer to help with testing from an Excel client.

cmark commented

Hi @colin-e-nhsd,

Sorry for my late reply here. It is possible to provide an authentication token via a query parameter named token.

Example:

GET /snomed-ct/v3/SNOMEDCT/concepts?token=your-auth-token

Feel free to test it out when you have the time.
I'm going to close the ticket now, but if you find something is not working feel free to reopen it.

Cheers,
Mark

apeteri commented

Do note that web server access logs, browser history, caching proxies and possibly other components in the request chain might retain a copy of your access token if it is passed in via a query parameter. While request headers are not exempt from logging either, the URL is more likely to be retained in its entirety.