Problems and Questions Migrating Mobile App from OnAPI to Sky

Sheamus Burns
Sheamus Burns
Eighth Anniversary Participant Facilitator 1
in Education Management APIs
Hi. 

I'm currently in the process of migrating a mobile app we built about 3 years ago that allows users to access the mySchoolApp directory via an iOS or Android native app.

The app would allow a school consituent log into the app and then search for users, see list views of users based on their grade, or fac/staff status and navigate through users by navigating their relationships a little. 

Simply put it replicates and adds a little functionality to mySchoolApp's builtin people finder functionality. 


Previously, a user would enter username and password and we would authenticate them by sending a `POST` request to the onAPI authentication endpoint for a token. Would then use that token for subsequent requests. 


I'm working on migrating the login mechanism to SKY's app authorization requirements with OAuth2, and I'm running into a couple problems. 

1. Despite access to the environment, I'm getting an error using a test user when they authenticate via the authorization endpoint.
We have correctly created an application, and an admin on the organization's side has connected the app to an "environment" (I put that in quotes, because I'm not sure what that is on their side and I suspect there are some additional configs that might be the cause of the issue I'm running into). 

I have a user that I use to log into the mySchoolApp site for the org that has Platrform Manager and Web Services API Manager roles, that I am going to test the authorization with.

 

To test the authorization flow, (I'm trying out the implicit flow), I've gone to the BB authorization flow site and logged in through the Google, but instead of redirecting to the callback url (which I've configured on the application as well) I passed in with the params, I get the following error screen:



Google helped me to this FAQ: https://developer.blackbaud.com/skyapi/docs/authorization/common-auth-issues which has a number of error screens like this one, but not this exact one. So I'm wondering, can someone tell me what I should be doing to resolve this issue? How does a user get access to a SKY API enabled blackbaud product? What must we do to configure that?




2. I think the answer to the first question will determine a good deal about my second question, which is pretty basic. I noticed that when I went to the authorization login url, when I tried to put in another user, specifically a user that does not have an email address in the system but is basically an account we use as a service account, (the account id in the picture is not the actual service account) the form tells me it wants a user with a domain like email ending.






It also tells me that I have to use google login 




which makes it hard to understand how I might use a service account that has no email with SKY API. What do I need to know/ where can I find more info about authenticating users and authorizing my app to access their data? Will all of the users who use my app need some configuration on the organization-side that allows for the app to access specific SKY APIs on that user's behalf? Where can I find that documentation? Will every user need an email/login -- I'm seeing a bunch of stuff about blackbaud id, but I'm not sure users in the mySchoolApp app use blackbaud id to login to the mySchoolApp -- is that required for users who would authorize for SKY API? Is the premise of this app compatible with SKY API? 


Thanks for your help. I'm excited to get this migration out of the way, since SKY is clearly a much more secure way to authorize applications and data access. I'm just hoping someone out there can point me to some answers because right now I'm blocked. 


Thanks!

Sheamus

Comments

  • Gail Dolormente
    Gail Dolormente
    Fifth Anniversary Facilitator 1 Boomerang (2021)

    Hello

    We encountered a very similar roadblock and also have an app that allows users to look up address information.

    So the easiest way I found that works is go to Core, Security, Authentication Settings, then on SSO Settings.

    There should be a unique name for your app. For example let's just call it AnExampleDirectory. The Directory_App will have a unique url where it lives. For example, /app/sso/auth/AnExampleDirectory. Note: you'll have your site url so the complete url would be https://"your site".myschoolapp.com/app/sso/auth/AnExampleDirectory. Make a copy of this url.

    Then click on edit. You should see a Redirect URL. For this example let's just call it https://www.theredirectURL.com. Make a copy of this url.

    Now in the iOS and/or Android developer app, on the first initial load, you'll want to load in https://"your site".myschoolapp.com/app/sso/auth/AnExampleDirectory. For the iOS you can use the WKWebViewController object and for Android you can use the WebView object.
    The Blackbaud login page will load up on a browser; but note that the browser is embedded in the application. The browser will not have the address bar or buttons to navigate, which is fine because all you need to do is authenticate a user. Blackbaud will handle all the authentication for you.

    Remember the Redirect URL you copied? In our example, https://www.theredirectURL.com.
    When a user is authentication they will be directed to that Redirect URL. How's this play into authentication? Well, if a user reaches the Redirect URL then you know they've passed the site url (the 1st url you copied). If a user doesn't authenticate they never get to the Redirect URL in the first place.

    From there you can close out the browser and present whatever home page of the app you want. For iOS the WKWebViewController object has delegates that automatically look for any url you want. For me, i just had the delegate look for when the Redirect URL is reached.

    The delegate handles monitoring any url changes automatically; so if https://"your site".myschoolapp.com/app/sso/auth/AnExampleDirectory is the current url == display login screen. if current url is anything else == display login (this will occur because when authenticating through Google there will be a series of urls. You can step through this when you set a string object and step through the process). if https://www.theredirectURL.com is the current url == close browser and go into home page of app. When you get to the Redirect URL you can see that there's a token assigned. Again, step through the process, maybe set a string to capture the url token or just capture the whole url and you'll notice it there.

    For Android you can use WebView object but i'm still figuring out how to do the listening (equivalent to a delegate in iOS)

    Sorry if this response is late but the iOS app is something that we've actually solved a few weeks ago.

    Hope this helps.

Categories