In this section, you will begin developing APIs that use the security features you have just set up. Using Basic authentication with an API key is among the easiest methods of applying authentication security to an API. This method of applying API key security (client ID and client secret) to an API was covered in detail with an example earlier in Chapter 4, API Creation, in the Enabling API Security section.
To briefly refresh the API key concepts that you have covered earlier, an API key is the most basic level and quickest method of applying authentication security to your APIs. This method involves configuring client ID and client secret (together referred to as an API key) security definitions as part of defining an API. Once security schemes are defined, you simply select those definitions in the security section of your API. A consumer can then send these values as part of either a request’s query (X-IBM-Client-Id and X-IBM-Client-Secret parameters) or its header (client_id, client_secret). Refer to Figure 7.1 for details of defining a security scheme and then applying the scheme to the API security.
On the other hand, Basic authentication using the Authentication URL method validates the username and password values passed in the Basic auth headers of the request against the Authentication URL user registry.
You will now develop an API that will be secured by the API key and Basic authentication methods.
Implementing Basic authentication and ClientID in API security
You recently created an Authentication URL user registry entitled HttpBin user registry. It is time to use this registry and a client ID to secure your API:
- Navigate to Home | Develop API and Products and click Add to create a new API. Choose a new From target service REST proxy and click Next. Use the information in Table 7.2 to complete the wizard entry of your API:
Table 7.2 – Proxy for Basic auth and ClientID
2. Your API already has an API key security definition, clientID. You will now add a Basic auth security definition. Refer to Figure 7.9:
Figure 7.9 – Security definitions for API
3. Go to the Design tab | Security Schemes | Add. Provide the values as per Table 7.3 and then save the scheme.
Table 7.3 – Basic auth security definition
You should now see two security schemes available for your API. Refer to Figure 7.10:
Figure 7.10 – API Security Schemes for Basic auth and API keys
4. To use the http-auth-url security scheme, you will need to add this scheme to the security of the API. Go to the Design tab | General | Security | clientID in the navigation menu. Select the http-auth-url scheme. Refer to Figure 7.11. Click on the Submit button. Then, click on the Save button:
Figure 7.11 – API Security for Basic Auth and API keys
5. Go ahead and publish the API. Click the Offline slider to publish the API to the Sandbox catalog. Refer to Figure 7.12:
Figure 7.12 – Publishing API changes
6. Click on the Test tab. You will need to set the API’s Authentication and Parameters tabs as highlighted in Figure 7.13. In the Authentication tab, set the Username to user and Password to pass. Review the Parameters tab to check how APIC has pre-filled the X-IBM-Client-id value for testing.
Figure 7.13 – Setting Basic Auth and Client ID parameters in the Test facility
7. Click Send to execute the test. You should receive a successful response as shown in the following screenshot:
Figure 7.14 – Basic Auth and Client ID successful response
How easy that was! You completed the testing of your API proxy secured using two security methods: API key (client ID) and Basic auth (Authentication URL). As a learning exercise, you can consider modifying your REST proxy by removing one of the security definitions from its security and then re-executing the test (remember to save and publish after any REST proxy changes. Use the toggle facility for quick republishing to the Sandbox catalog). You can also run some negative tests by changing the authentication values of username, password, and X-IBM-Client-Id parameters in the Test facility.
One of the goals of this section was to get you familiar with the process of creating and using the security definitions. To that extent, Basic auth and API keys served a great purpose. But as the reach of your APIs expands beyond the realm of your internal organization and its trusted partners, you will certainly need to apply more advanced security modes. OAuth is one such security method, and you will learn this next.
Leave a Reply