Versions Compared

Old Version 7

changes.mady.by.user Patrick Ahmed

Saved on

compared with

New Version Current

changes.mady.by.user Patrick Ahmed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In other words, you should only turn subscription off if you intend to allow anonymous access to your APIs, or you should configure the API Gateway to authenticate using some other means (see Setting up API Gateway) for information.

Available

...

Authentication Methods

API-Key

API-Key is the simplest form of authentication - your API Partner Applications have one or more API keys defined for them - and any given one of them identifies that API Partner Application as the caller. Note that this API key should be treated as a secret password, which it essentially is.

Client

...

Credentials / Basic

...

Authentication

By enabling basic authentication, you enable your API Partner Applications to authenticate by providing their client_id and client_secret as userid/password in a Basic Authentication. Note that as usual, you should in the Ceptor Gateway ensure that all only https/encrypted connections are used.

...

If you enable SSL/TLS Client Certificate, any eventual client certificate is authenticated for this API call - this certificate must then match one of the configured certificates for an API Partner Application.

Bearer

...

Authentication

This enables authentication using a bearer token, an access token earlier issued using OpenID Connect / OAuth2.

OAuth2

...

Authentication

Essentially the same as bearer authentication, but provides the OAuth2 authorize and token URLs in the OpenID Configuration, and allows specifying which scopes to require.

OpenID Connect

...

Authentication

Again, almost the same as OAuth2 authentication, but exposes the OpenID Connection configuration metadata URL in the OpenAPI definition - that URL is usually https://www.yourorganisation.com/.well-known/openid-configuration

...

You can find more information and an example in the online help.

Using

...

Other Forms of

...

Authentication

Note
titleOther options are available

Note that the options above affect what is published in the OpenAPI definition for your API, and if authentication is not already done when your API is about to be called, it affects which attempts will be tried given the proper credentials are supplied.

But, with Ceptor this is not your only option - you can secure your APIs anyway you want using e.g. SPNEGO / Kerberos or other means of authentication if you just set it up in the API Gateway - see Setting up API Gateway for details.

...

Script which can do custom authorization - the script must return true or false.
See Plugins - AuthorizationScript for an example. 

Overriding

...

Security per

...

Operation

It is possible to override the settings for each individual operation - in that case, just check the override box for the operation you want to override the settings for:

...