Using the Authorization url to get a token

Thomas Kroljic · May 2021

I'm having a hard time understanding the Documentation on using the SKY API. My goal is to have a process that downloads GIFT information nightly into one of our on-premise SQL Tables. In the past I've created .net VB CLR Stored Procedures that I can deploy to our SQL database and then execute from SQL in an automated way.

So far:

- I have ADMIN rights within our Blackbaud RaiserEdge environment.

- I've created a SKY Developers account

- I have a Primary and Secondary access key

- I've created a SKY app in the "My Applications" section and I can see the Application ID and Secret ID

- I've gone to the "Applications" page in Raisers Edge and added the app that I created in the previous step

Here's where the next step(s) confuse me. Not sure how to use the url https://oauth2.sky.blackbaud.com/authorization or the url https://oauth2.sky.blackbaud.com/token.

For the authorization URL do I just supply the Application ID and the Secret ID? Do I use my Primary Access Key?

Does this url then return a code that I use to get a Token?

Are there any clear examples of how to use the Authorization and Token URLs?

Thank you,

Thomas

Chris Rodgers · May 2021

Hi Thomas,

Have you been through our Authorization Code Flow tutorial? It should walk you through step by step, including how to build the requests to both the authorization and token endpoints.

Thomas Kroljic · May 2021

Chris,

Thank you very much for replying to my post.

I believe I went through this tutorial a few days ago. I'll revisit it again and go through it slowly this time.

One of my concerns is that I want to be able to set this process up so I can have it run unattended at night without any user interaction. I'm hoping that my logic just needs to supply the right access codes (subscription ID, Client ID, Secret ID) without a User entering in their credentials.
Is this possible?

Thank you,

Thomas

Chris Rodgers · May 2021

Hey Thomas,

We have a Headless data sync C# sample application that demonstrates a scheduled process that runs without any user interaction once it is configured. Part of this configuration will require that a user does a one-time authorization (OAuth 2.0, through the browser) of your application in order to obtain a Refresh Token (read more about refresh tokens). However, your C# code doesn't need to obtain this refresh token itself. There are tools like Postman that understand OAuth 2 and can be used to obtain a refresh token for you to plug into your automation (Postman OAuth 2.0 Example (image)). This sample assumes that you're running the application in the context of one user + Blackbaud environment. You should only go the Postman route if this is a Blackbaud user account that you control; otherwise, you'll need to ask another user to perform this OAuth step, which could expose both your application's credentials and their tokens... which we would not be in favor of, obviously. If you need to obtain authorization from another user, you'll need to create a web service that can handle that OAuth redirect to exchange the Authorization Code for a refresh token.

Alternatively, if you're looking for a more codeless approach to all of this, you may be able to leverage the Microsoft Power Platform to perform this automation instead.

Steven Cinquegrana · May 2021

Thomas‍ if you search the Community for "unattended authorization" you'll get quite a few hits for threads which address your authorization questions, eg this and this.

Cheers,

Steve Cinquegrana | CEO and Principal Developer | Protégé Solutions

Thomas Kroljic · May 2021

Steven,

Thanks for the information and replying to my post. I will definitely take a look at the two links you included and also do a search within the community for "unattended authorization".

I will probably come back with a few more questions once I read through this information, especially on how to get and retain "refresh" tokens.

Thank you,

Tom

Thomas Kroljic · May 2021

Chris,

Thank you for the detailed info and the links. I will take a look at the "Headless data sync C#" example and check out the Postman tool.

My process would be in the context of ONE user and One Blackbaud environment. This process/app would only be for my organization.

I work for a non-profit foodbank. We use RaisersEdge NXT. I am tasked with getting data from RE/NXT download to on-premise SQL tables so we can develop custom reports and visuals for various staff members.

Currently we have staff members in our Development group exporting data out or RE/NXT to csv files that I import into our SQL tables nightly. I am hoping to automate this process using the Blackbaud API.

If you think this is the wrong approach or if there is another way to automate this, I'd love to hear about it.

Thank you,

Tom

Paul Zimmerman · May 2021

Thomas-

The short answer is that, yes, you can use the SKY API for unattended scripts. (We do it quite frequently, in fact.) What you have to be aware of, though, is that the first run of the script will need human interaction in order to acquire the authorization token. Once that's cached locally the script can use it for future unattended operation.

Thomas Kroljic · May 2021

Paul,

Thanks for replying to my post. I'm trying to fully understand the process of getting a "refresh" token and then using that to get an access token.

I'll be going over all the comments today and reading up on several of the suggestions. I think if I can get through one or two examples I'll be more comfortable with this process. Right now I feel a little lost.

Tom

Steven Cinquegrana · May 2021

Paul Zimmerman:

... the first run of the script will need human interaction in order to acquire the authorization token. Once that's cached locally the script can use it for future unattended operation.

Thomas‍, although not common - and probably less common now due to improved back-end procedures - you do need to allow for the situation where manual re-authorization is required. This can happen in a number of ways, including server/network outage, corruption or unavailability of saved tokens, non-receipt of a new refresh token, etc. As I said, it's not common, but it's also not impossible. You can handle this in a number of ways, including email alerts to an admin who then re-authorizes. It's one of the downsides to oAuth over simpler authorizations schemes such as HTTP Basic Auth (IMHO).

Cheers, Steve

Thomas Kroljic · June 2021

Paul, thanks for comments. hope to do some testing this week after a long weekend.

Ben Regier · June 2021

Hi Thomas,

Chris mentioned Headless data sync options, and he also mentioned the Microsoft Power Platform as a low-code alternative. I've built solutions using both of these methods for my org. Like you, I found the authorization process for the Headless data sync to be a bit confusing at first, but I was able to work my way through it eventually and get our solution up and running. For me, the Authorization code flow tutorial was the key - I went through it slowly several times until it started to make sense.

Microsoft's Power Platform (specifically Power Automate) could also be a good solution for you. That would take care of all the authorization stuff behind the scenes, so all you would have to do is sign in once and Power Automate would handle the rest. Using Power Automate to save your gift data to an on-prem database would be fairly simple to build. You would need to install a gateway on the server that hosts your database, and you would need to pay for a premium subscription to Power Automate so that you'll have access to the premium connectors. I think nonprofit pricing is around $3/month.

Both approaches have strengths and weaknesses, but if you feel like you're spending too much time wrestling with OAuth, it might be worth looking at Power Automate.

Thomas Kroljic · June 2021

Ben, thank you for the information. I'd be interested to see examples of Power Automate downloading data from both the Gift and Constituent tables based on a date range or anything that is newly added.

We have all the appropriate licenses for Power Automate, including the Premium for SQL Server. I already have a Gateway up and running. We've been using Power BI for reporting against SSAS tabular Cubes and regular SQL tables.

I downloaded the SkyLib.Net this morning and ran the demo program. So at the point I have a "refresh" token and a Basic Auth Credentials.

Not sure how to use the "refresh" token to get access now.

if you can share a screen shot or two of your Power Automate flow that would be great.

My typing is one-handed and slow this morning as i broke my collar bone yesterday (lucky me). If i don't get back to you its due to me resting to alleviate the pain)

Thank you

Thomas

Ben Lambert · June 2021

Hi Thomas,

You might also want to take a look at a few recent webinars we published that illustrate how to use a tool like Postman to quickly get an access token (and a refresh token). Specifically, skip to around the 34:00 mark in this SKY Developer Deep Dive webinar:
https://event.on24.com/wcc/r/2698741/99DEF48533E9C8CC9918508EFA2C7415

I also presented similar content around the 25:10 mark in this How to Integrate with SKY API webinar
https://event.on24.com/wcc/r/2525984/DB154C7AB77F54E2E88342AB911AB6A4

(btw we will be adding links to those webinars and more in the SKY Developer portal in the near future)

Thomas Kroljic · June 2021

Ben, thank you for the links. i did watch the videos from the times you suggested. it's still not fully clicking in my head.

I downloaded the SkyLib.net library and ran the demo program after inputting all the appropriate values.

I was able to use the Access token that SkyLib provided in my VB,Net code to also query the Constituent table.

Now I’m trying to run my own code to refresh the Access Token but I keep receiving the following message: “The remote server returned an error: (400) Bad Request System.

Below is three different code snippets in vb.net. all three receive the same error message that I listed above. If some can tell me what I’m doing wrong or what is it that I am missing, that would be great.

Dim callString As String

Dim Vol_list As String

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

callString = "https://oauth2.sky.blackbaud.com/token?grant_type=authorization_code

&code=98bbe5bcc5f6426xxxxxxxx4791cd7&redirect_uri=https://www.philabundance.org"

Dim uri As New Uri(callString)

'make HTTP request

Dim Request As HttpWebRequest = HttpWebRequest.Create(uri)

Request.Headers.Add("client_id", "my client id data")

Request.Headers.Add("client_secret", "my client secret data")

Request.ContentType = "application/x-www-form-urlencoded"

Request.ContentLength = 0

'get HTTP response

Dim Response As HttpWebResponse = Request.GetResponse

I also tried this code:

Dim callString As String

Dim Vol_list As String

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

callString = "https://oauth2.sky.blackbaud.com/token?grant_type=authorization_code

&code=refresh token value &redirect_uri=https://www.philabundance.org"

Dim uri As New Uri(callString)

'make HTTP request

Dim Request As HttpWebRequest = HttpWebRequest.Create(uri)

Request.Method = "POST"

Request.Headers.Add("Authorization", "Basic NjYzZjk2ZDEtYzYzMS00ZTlkLWJhM2YtMThmMDAxOWY5NDY3OlJMbGIzK2ZEbDVZSXhrUllHQ3N0clBKVUdyMFBJRlduUm0wbjFBSk9CTGs9")

Request.ContentType = "application/x-www-form-urlencoded"

Request.ContentLength = 0

'get HTTP response

Dim Response As HttpWebResponse = Request.GetResponse

I also tried this code:

Dim strResp As String = ""

Try

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

Dim grantType As String = "authorization_code"

Dim postData As String = "grant_type=refresh_token&client_id=663f96d1-c631-4e9d-ba3f-xxxxxxxxx

&client_secret=RLlb3+fDl5YIxkxxxxxxxxxPIFWnRm0n1AJOBLk=

&redirect_uri=https://www.philabundance.org

&code=98bbe5bcc5f6426e9c64xxxxxxxxxx"

Dim byteReq() As Byte = Encoding.UTF8.GetBytes(postData)

Dim objReq As WebRequest = WebRequest.Create("https://oauth2.sky.blackbaud.com/token")

objReq.Method = "POST"

objReq.ContentLength = byteReq.Length

objReq.ContentType = "application/x-www-form-urlencoded"

Dim OutStream As IO.Stream = objReq.GetRequestStream()

OutStream.Write(byteReq, 0, byteReq.Length)

OutStream.Close()

Dim objResp As WebResponse = objReq.GetResponse() 'This is where it keeps erroring out with a 400 response.

Dim sr As New IO.StreamReader(objResp.GetResponseStream(), Encoding.UTF8, True)

strResp = sr.ReadToEnd()

sr.Close()

objResp.GetResponseStream().Close()

objResp.Close()

Catch ex As System.Net.WebException

Throw New ArgumentException("Error SendRequest: " + ex.Message + " " + ex.Source)

End Try

Nathan Wells · June 2021

Ben Lambert‍ It would be great to link to these webinars in the Getting Started Sky API Documentation https://developer.blackbaud.com/skyapi/docs/getting-started. Would have saved me a bunch of time.

Ben Lambert · June 2021

Thanks for the feedback Nathan, duly noted (and 100% agree). We have several webinars that we should provide easy links to from the SKY Developer portal (they are, IMO, not easily locatable from their current locations). We'll get this content added to the developer portal pronto!

Ben Regier · June 2021

Hi Thomas,

Both the Constituent list and the Gift list actions in Power Automate have filters for date added and date modified. There's no date range functionality, though you can do additional filtering within PA itself.

Thomas Kroljic · June 2021

Ben,

thank you for the screen shots (info) on using Power Automate. i ended up using the SkyLib.net library to get the appropriate refresh and access tokens whick I then store in a SQL Table. For my process I only need to run this once a night.

Immediately after getting the access token I have several SQL stored (built from vb.net CLR) that i can execute to retrieve data (ex: all new gifts added ) from our RaiserEdge NXT database in the cloud.

I will look at the Power Automate option as this may be helpful for other reporting needs.

Thomas

Using the Authorization url to get a token

Comments

Categories