Skip to content

Instantly share code, notes, and snippets.

@zsewa

zsewa/tumwbservicesbasic.md

Last active June 27, 2023 09:09
Show Gist options
  • Save zsewa/ce45cf64c1802d2d0bbf7c5665ea2950 to your computer and use it in GitHub Desktop.
Save zsewa/ce45cf64c1802d2d0bbf7c5665ea2950 to your computer and use it in GitHub Desktop.
Download ZIP
tumwbservicesbasic.md
Raw
tumwbservicesbasic.md

Introduction to TUM wbservicesbasic API

Motivation

The TUM wbservicesbasic service can be used by clients to access information stored in the TUM Campus System, also refered to as TUMonline (see webpage here), which is the campus management system used by the Technical Univeristy of Munich.

As it appeares, however, this resource of information is mainly used as an interface between the TUM Campus App (TCA) and the TUMOnline infrastructure.

There is little to no documentation about this API availible to the public as it seems after various tries to find resourches on this API using internet searches. The systems itself seems to be interesting for e.g. the validation of the student status of a TUM member. Other widely used approaces using a university assinged email address such as the tum.de or mytum.de domain fail to verify the actual status of a TUM member and only proove university membership. As it seems also alumni cat continue using these mail addresses after exmatriculation. So this commonly used approach fails to meet its aim completly.

With litte public availible information, this small documentation of the API is mainly based on the TCA source code as well as returns of the APIs error handling and a set of wild guessess. Please note that this documentation maybe is not an encompassing documentation of the API and the usage of the service in other applications than the TCA app may not be intended or endorsed. Extensive, or even abusive use of the service may leed to a shutdown of the service or - when external usage is not intended - implementation of (additoinal) authorisation methods.

The TUM Campus Management system

The campus management system TUMonline is a service based on CAMPUSonline developed by the TUGraz. However, the API may be a development by the TUM itself - for example to satisfy the needs of the TCA - as I couldn't find further documentation on the website of TUGraz.

The system is hosted in two instaces:

  • Official TUMonline as used by students (and the TCA app) on campus.tum.de
  • campusquality.tum.de; I'm a bit quizzed about this... TCA uses it as an API test server for development, but it is also possible to log-in at the webpage using the normal (not-mock) TUM credentials. It seems like a clone of campus.tum.de as the services provided seem to be the same, but data like the results for exams seems to be DELAYED. It may be interesting to look further into this domain as it also provides the API (I've not tested yet if API returns are also based on the old/delayed data.) TL;TR May be a test and fallback instance of the main service

The corresponding API baseURLs are https://campus.tum.de/tumonline/ and https://campusquality.tum.de/QSYSTEM_TUM/.

The API

Request type

All explored endpoints accept GET requests. You can simply paste the URLs to your browser.

Return type

XML

Basepath

The baseURLs https://campus.tum.de/tumonline/ and https://campusquality.tum.de/QSYSTEM_TUM/ will be referred to as <base> in the following sections. This documentation will cover endpoints from the wbservicesbasic route.

How to get authenticated: requestToken

The Request:

<base>/wbservicesbasic.requestToken?pUsername=<username>&pTokenName=<String>
  • <username> can be replaced either by a valid personal LRZ ID. (de:) LRZ Kennung or the users primary (TUM issued?) email address. I also have a bunch of other email addresses associated with my account but it only worked with my primary. This was in my case a @tum.de address. It does not work with the redirection address.
  • <String> can be replaced by any string. Out of interesst, I tried an JS injection here, but the website is propperly sanitizing this input.
  • This endpoint is rate limited (or this was a reaction on my JS injection attempt ;) ). I've got the error message Request-Rate überschritten - später versuchen (requestToken)

The return of a valid request is a 32 character alphanumeric token (shown token is anomyzed) together with the note that the token needs to be aktivated by the user.

<token>E108235FXXXXXXXXB2E432D4XXXXXXXX</token><!--
 Token ist inaktiv, muss über TUMonline oder Email aktiviert werden! 
-->

The user will get an email notice about the creation of the token. Along with activating it he can set 5 permissions for the token:

  • calendar
  • lectures
  • examination results
  • status of student fees
  • personal identification features (name and ID)
Not authenticated requests

Endpoints that require an activated token will give this error message when a wrong token is provided. Translated this means "invalid token":

<error><message>Token ist ungültig!</message></error>

When the user did not activate the token yet the error message will be this. Meaning "Token not confirmed":

<error><message>Token ist nicht bestätigt!</message></error>

When the token is activated but the right is not set the error message will be like this. This means "No rights for function id" as it was a request to wbservicesbasic.id). This error may look differnt when another permission is needed but was not granted by the user:

<error><message>Keine Rechte für Funktion "id"</message></error>
wbservicesbasic.id

<base>/wbservicesbasic.id?pToken=<token>

  • using a valid, activated token
<rowset>
  <row>
    <kennung>gXXXXXf</kennung>
    <vorname>ZXXXo</vorname
    <familienname>SXXXd</familienname>
    <obfuscated_id>6*4CF48A1046XXXXXX</obfuscated_id>
    <obfuscated_ids>
      <studierende>5*730461CEDCXXXXXX</studierende>
      <bedienstete>3*C6126CE488XXXXXX</bedienstete>
      <extern>6*4CF48A1046XXXXXX</extern>
    </obfuscated_ids>
  </row>
</rowset>
Examination results with wbservicesbasic.noten

<base>/wbservicesbasic.noten?pToken=<token>

Returns a rowset like this:

<rowset>
  ...
  <row>
    <pv_kand_nr isnull="true"/>
    <datum>20XX-XX-XX</datum>
    <lv_nummer>WZ3010-2</lv_nummer>
    <lv_semester>XXS</lv_semester>
    <lv_titel>Grundlagen der XXXXXX</lv_titel>
    <pruefer_nachname>XXXXXX</pruefer_nachname>
    <uninotenamekurz>2,0</uninotenamekurz>
    <exam_typ_name>FA</exam_typ_name>
    <modus>Schriftlich</modus>
    <studienidentifikator>16XX 17 8XX</studienidentifikator>
    <studienbezeichnung>XXXXXX</studienbezeichnung>
    <st_studium_nr>926XXX</st_studium_nr>
    <lv_credits isnull="true"/>
  </row>
  ...
</rowset>
Search for persons wbservicesbasic.personenSuche

<base>/wbservicesbasic.personenSuche?pToken=<token>&pSuche=<String>

  • with a <String> as your query

Returns a rowset:

<rowset>
  ...
  <row>
    <vorname>ZXXo</vorname>
    <familienname>SXXXd</familienname>
    <titel>B.Sc.</titel>
    <nr>3XXXX6</nr>
    <geschlecht>M</geschlecht>
    <obfuscated_id>6*4CF48A1046XXXXXX</obfuscated_id>
    <bild_url isnull="true"/>
  </row>
  ...
</rowset>

Other query without result returns empty rowset:

<rowset>
</rowset>
Person details wbservicesbasic.personenDetails

<base>/wbservicesbasic.personenDetails?pToken=<token>&pIdentNr=<query>

  • with obfuscated_id or one of the obfuscated_ids from wbservicesbasic.id or from the search wbservicesbasic.personenSuche as <query>
  • also works with the nr from wbservicesbasic.personenSuche as <query>
Fee status wbservicesbasic.studienbeitragsstatus

<base>/wbservicesbasic.studienbeitragsstatus?pToken=<token>

<rowset>
  <row>
    <soll>0</soll>
    <frist>2019-02-15</frist>
    <semester_bezeichnung>Sommersemester 2019</semester_bezeichnung>
    <semester_id>19S</semester_id>
  </row>
</rowset>

Sources

https://raw.githubusercontent.com/TUM-Dev/Campus-Android/b2e6cf82fabd51a7909ec91f4ce7938be0d97f42/app/src/main/java/de/tum/in/tumcampusapp/api/tumonline/TUMOnlineAPIService.kt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment