Invoking Liferay JSON web service remotely.Invoking Liferay JSON web service remotely.https://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1198419022026-04-05T23:48:17Z2026-04-05T23:48:17ZRE: Invoking Liferay JSON web service remotely.Vishnu S Kumarhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1198691942020-08-31T08:13:49Z2020-08-31T08:13:49ZThanks, David. Please correct me if I'm doing it wrong. <br /><br />To enable the Token-based SSO, I followed the Liferay <a href="https://help.liferay.com/hc/en-us/articles/360018175391-Token-based-Single-Sign-On-Authentication">docs </a>and configured it inside the s<em>ystem-settings -> foundation -> token-based SSO</em>. I configured it to use the request header with the name TEST_TOKEN.<br /><br />To make the guest API, I configured the service and method under SYNC_DEFAULT in the service access policies.<br /><br />Now, If I call the JSON web service from the postman, using the TEST_TOKEN header, it is supposed the reach at the AutoLogin pipeline class right. But It's not working instead it's calling the API without any security. Is this the correct way to make the guest API? Vishnu S Kumar2020-08-31T08:13:49ZRE: Invoking Liferay JSON web service remotely.David H Nebingerhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1198422512020-08-26T17:58:25Z2020-08-26T17:58:25Z<div class="quote-title">Vishnu S Kumar:</div><blockquote><br />I need to validate it against an external User store.</blockquote><br /><br />Just so you know, all users in Liferay must be real Liferay users. You can't auth a user in a 3rd party system and not have them exist as a Liferay user. So first thing you need to do is figure out how to handle user import into Liferay.<br /><br /><br />For authentication, take a look at the Token Based Authentication support already part of Liferay. It can use a cookie or a header for authentication purposes, but not a param. Params are not normally part of an incoming request because those are typically tied to the method being invoked, so these are two separate concerns.<br /><br /><br />You could, of course, completely fake it. Make the API a guest API so no authentication to invoke at all. Then your token can be part of the request because internally you'd need to complete your external auth lookup. From Liferay's perspective though, all of this would be guest access so no way to audit or anything using typical Liferay mechanisms.David H Nebinger2020-08-26T17:58:25ZInvoking Liferay JSON web service remotely.Vishnu S Kumarhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1198419012020-08-26T16:13:14Z2020-08-26T16:13:14ZThe service builder created a simple remote and local services. I want to invoke the remote service from the postman and customize the authentication process, for ex: using an auth pipeline. How to do that? When invoking the remote service, I need to pass-in an auth token and I need to validate it against an external User store.Vishnu S Kumar2020-08-26T16:13:14Z