Article ID: 118502, created on Nov 7, 2013, last review on Aug 18, 2015

  • Applies to:
  • APS 2.x

Symptoms

I have a property with encrypted attribute but cannot get the value from my custom UI, access is allowed to the service I'm trying to get it from:

"access": {
  "owner": true,
  "admin": true,
  "referrer": true
}

Cause

Since POA 5.5.2 it is not possible to get value of an encrypted property from custom UI: secure information should not be sent in plain text since it can be easily extracted using a debugger.

Encrypted properties are signified by:

@encrypted

tag in PHP runtime code. Some built-in types (like service users) have encrypted properties as well (passwords).

Resolution

Application back-end can still get values of all properties when authenticating with application certificate. Using a certificate is crucial to get these properties decrypted. In essence, it is not a problem of owner, admin or referrer access, but a problem of type of authorization.

Example

Your application's resources are provided to POA service users (your resource has a relation to service user in other words) and you need to know the password of a service user. If your application uses the PHP runtime library:

....
// imagine your resource has a link to service user called 'user'
   /**
     * @link("http://aps-standard.org/types/core/service-user/1.0")
     * @required
     */
    public $user;
....

// from backend, we can fetch encrypted properties of the user object, including password
public function provision() {
    ...
    $apsc = \APS\Request::getController();
    $user = $apsc->getResource($this->user->aps->id); // here the $user variable contains full representation of user object, including encrypted fields like passwords
    $password = $user->password // now I can access the user's password
    $password = $this->user->password // or without fetching with getResource
    ...
}

Note: For testing purposes, you can query APS bus with application instance token (pem.APS.getApplicationInstanceToken OA API method) and it will be effectively the same as authorizing via certificate. You will be able to see encrypted properties in this case.

Search Words

token

access

password

encrypted

property

authorization

certificate

70bf700e0cdb9d7211df2595ef7276ab 717db81efe94e616312b74fb03a5d474

Email subscription for changes to this article
Save as PDF