Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Note
titleContent Freeze

As of July 25th, 2023, there is a content freeze on this page.

There are 4 parts to controlling who can call your APIs:

...

The API Framework will attempt to authenticate to a single user with that "X-API-KEY" value.
 An

Code Block
languagejs
titleAn example of a configuration that secures all APIs to require an API key credentials
{

...


  "openapi": "3.0.3",

...


  "info": {

...


    "title": "My Company APIs",

...


    "version": "1.0.0"

...


  },

...


  "components": {

...


    "securitySchemes": {

...


      "MyAPIKey": {

...


        "type": "apiKey",

...


        "in": "header",

...


        "name": "X-API-Key"

...


      }

...


    }

...


  },

...


  "x-allowAnonymous":

...

 false,

...


  "security": [

...


    {

...


      "MyAPIKey": []

...


    }

...


  ]

...


}


 Below is another simple example of a single security using a single scheme.  This example is using User/Password Authentication.

  • The "name" of the security scheme can be anything, below the name this one "User".
  • Notice that "User" is defined as a "http" type with scheme basic.  This means it requires the caller to send an encoded basic User/Password value for "Authorization" in the header.
  • Also, to enable this scheme authentication, it must be included in the "security" section and the name must exactly match.

...

The API Framework will then attempt authenticate to a single user profile that matches the encoded credentials. An

Code Block
languagejs
titleAn example of a configuration that secures all APIs to require User/Password credentials
{

...


  "openapi": "3.0.3",

...


  "info": {

...


    "title": "My Company APIs",

...


    "version": "2.1.6"

...


  },

...


  "components": {

...


    "securitySchemes": {

...


      "User": {

...


        "type": "http",

...


        "scheme": "basic"

...


      }

...


    }

...


  },

...


  "x-allowAnonymous":

...

 false,

...


  "security": [

...


    {

...


      "User": []

...


    }

...


  ]

...


}


 Below is another simple example of a single security using a single scheme.  This example is using IBMi User/Password Authentication..
 An

Code Block
languagejs
titleAn example of a configuration that secures all APIs to require

...

IBM i User/Password credentials
{

...


  "openapi": "3.0.3",

...


  "info": {

...


    "title": "My Company APIs",

...


    "version": "2.1.6"

...


  },

...


  "components": {

...


    "securitySchemes": {

...


      "IBMiUser": {

...


        "type": "http",

...


        "scheme": "basic",

...


        "x-ibmi":

...

 true
      }

...


    }

...


  },

...


  "x-allowAnonymous":

...

 false,

...


  "security": [

...


    {

...


      "IBMiUser": []

...


    }

...


  ]

...


}


 Below is an example that shows how you can use multiple schemes.

...

The API Framework will attempt to authenticate to a single user with both the "AppKey" and "ClientID" values.
 An

Code Block
languagejs
titleAn example of a configuration that secures all APIs to require two API credentials
{

...


  "openapi": "3.0.3",

...


  "info": {

...


    "title": "My Company APIs",

...


    "version": "2.1.6"

...


  },

...


  "components": {

...


    "securitySchemes": {

...


      "AppKey": {

...


        "type": "apiKey",

...


        "in": "header",

...


        "name": "AppKey"

...


      },

...


      "ClientID": {

...


        "type": "apiKey",

...


        "in": "header",

...


        "name": "ClientID" 

...


      }

...


    }

...


  },

...


  "x-allowAnonymous":

...

 false,

...


  "security": [

...


    {

...


      "AppKey": [],

...


      "ClientID": []

...


    }

...


  ]
}

...


 

For advanced requirements

...

The API Framework will go through each of these array elements and attempt to authenticate to a single user with those matching credentials.

Code Block
languagejs
titleA more advanced configuration
{

...


  "openapi": "3.0.3",

...


  "info": {

...


    "title": "My Company APIs",

...


    "version": "2.1.6"

...


  },

...


  "components": {

...


    "securitySchemes": {

...


      "APIKey": {

...


        "type": "apiKey",

...


        "in": "header",

...


        "name": "X-API-KEY"

...


      },

...


      "User": {

...


        "type": "http",

...


        "scheme": "basic"

...


      },

...


      "AppKey": {

...


        "type": "apiKey",

...


        "in": "header",

...


        "name": "AppKey"

...


      },

...


      "ClientID": {

...


        "type": "apiKey",

...


        "in": "header",

...


        "name": "ClientID"

...


      },

...


      "AuthToken": {

...


        "type": "apiKey",

...


        "in": "cookie",

...


        "name": "AuthToken"

...


      }

...


    }

...


  },

...


  "x-allowAnonymous":

...

 false,

...


  "security": [

...


    {

...


      "User": []

...


    },

...


    {

...


      "APIKey": [],

...


      "AuthToken": []

...


    },

...


    {

...


      "AppKey": [],

...


      "ClientID": []

...


    }

...


  ]

...


}


Authorization Setup

  1. Navigate to the Profound.js IDE
  2. Choose the type of API Security you need:
    1. Simple User Authentication - A way to prove the caller is who they say they are, such as user/password
    2. Role Based Authorization - A way to further refine which authenticated callers are allowed or denied for specific APIs
      1. This is the most common choice.
      2. You can upgrade to this level at any time
  3. To enable Role Based Authorization, you must configure the Security Security Store one time.
    1. On the Home Ribbon, Click API Options and choose Security Store Configuration

...