Skip to content
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.

2.2 Configure API Outbound Authentication

Jump to bottom
Chris Wiechmann edited this page Jan 10, 2020 · 6 revisions

This controls how the API-Manager itself authenticates themselves to the API-Service-Provider. The following is supported today: API-Key, HTTP-Basic, HTTP Digest, Custom-Policy, OAuth & SSL.

Please note: As of now only the Default Authentication-Device is supported. That means, you cannot combine multiple Authentictation devices and link it to the API.

To configure API-Outbound Authentication an "AuthenticationProfile" can be configured in the API-Contract.

This is an example using API-Key to be send to the Downstream application:

{
   "name":"My API-Name",
   "path":"/the/path/to/your/API",
   "state":"published",
   "version":"1.0.5",
   "organization":"API Development",
   "authenticationProfiles":[
      {
         "name":"_default",
         "isDefault":"true",
         "parameters":{
            "apiKey":"4249823490238490",
            "apiKeyField":"KeyId",
            "httpLocation":"QUERYSTRING_PARAMETER"
         },
         "type":"apiKey"
      }
   ]
}

The following types are supported: none (used if nothing is configured), http_basic, http_digest, apiKey, oauth, ssl

Configure a default authentication profile

You must configure at least one authentication profile with isDefault=true to be assigned to your API automatically. If not the authentication profile is configured only, but without referencing it in the outboundProfile it will not be used by your API.
If no default authentication-profile is configured the following message is logged:
THERE NO DEFAULT authenticationProfile CONFIGURED. Auto-Creating a No-Authentication outbound profile as default!

Depending on the type, the following parameters are required:

HTTP-Basic / HTTP-Digest

         "parameters":{
            "username":"user1",
            "password":"password1"
         },
         "type":"http_basic"

Please note: Starting from API-Manager Version 7.7 SP1 & 7.6.2 SP5 the password is not exposed anymore by the REST-API. Therefore Swagger-Promote can't use it anymore to compare the Desired with the Actual state. In order to change the password another field of the Desired state must be changed as well.

API-Key

         "parameters":{
            "apiKey":"4249823490238490",
            "apiKeyField":"KeyId",
            "httpLocation":"QUERYSTRING_PARAMETER or HEADER"
         },
         "type":"apiKey"

OAuth

         "parameters":{
            "providerProfile":"<Name-of-configured-OAuth-Profile>",
            "ownerId":"${authentication.subject.id}"
         },
         "type":"oauth"

SSL

         "parameters":{
            "source":"file",
            "certFile":"../certificates/clientcert.pfx",
            "password":"myClientCertPW",
            "trustAll":true
         },
         "type":"ssl"

Swagger-Promote is trying to the load the given keystore and by that validates, that the password is correct.
It might be, that Swagger-Promote can't determine the Keystore-Type automatically and fails with the following error message:
Error message using type: PKCS12 Error-Message: null.

In that case, please tell Swagger-Promote the correct Keystore-Type using the following format: "certFile":"../certificates/clientcert.pfx:PKCS12"

Depending on your environment the following types might be valid: JKS, JCEKS, PKCS12, CASEEXACTJKS, DKS

☝️ Swagger-Promote has been discontinued and is replaced by the new APIM-CLI

Clone this wiki locally