Subscribe to Email Updates

    API Security | 4 min read

    API Authentication

    Nodeum support different capabilities to handle Authorization process. The objective is to grant authenticated users access to resources by verifying whether they have access permissions or not. It also allows you to restrict access privileges by granting or denying specific access to authenticated users.

    Cross-Origin resource Sharing (CORS)

    Cross-origin resource sharing (CORS) is a browser mechanism which enables Nodeum to meet browser security requirements and send requests directly to Nodeum API endpoints.

    To configure CORS into Nodeum, you have to do login into your Nodeum Administration Console and access the following menu System/Configuration and open the API Security section.

    In the Cross-Origin section, you can define the three following parameters:

    • Origins : definition of the DNS domain, * is the wildcard which will allow access from all domains.
    • Path : definition of API endpoint path url , * is a wildcard to allow access to all endpoint.
    • Methods : define the HTTP request method allow. GET / POST / PUT / DELETE can be defined, multiple selections are allowed.

    Multiple rules can be configured to design the authentication you need.

     

    API HTTP Authentication

    Nodeum API is designed on OpenAPI and provide themain types of HTTP authentication schemes which use the Authorization header):

    • Basic
    • API Key
    • Bearer

    Basic authentication 

    It is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password. For example, to authorize as demo / p@55w0rd the client would send

    Authorization: Basic ZGVtbzpwQDU1dzByZA==

    Note: Because base64 is easily decoded, Basic authentication is recommended to be used together with other security mechanisms such as HTTPS/SSL.

    Request Sample cURL:

    curl --request GET \
    --url http://localhost/api/v2/files \
    --header 'Accept: application/json' \
    --header 'Authorization: Basic admin:password'

    API Key

    Create an API Key associated to user. Access can be restricted with the scope. Each API call described below has a scoped mentioned in its description.

    For example :

    API Key Scope: files / index

    This means that the API key should have a scope with controller as files and the action as index.

    An API key is a token that you provide when making API calls. Include the token in a header parameter called Authorization.

    Example: Authorization: 123

    To generate an API Key, you have to do login into your Nodeum Administration Console and access the following menu System/Configuration and open the API Security section.

    In the section, you can define the three following parameters:

    • Name: This is the name of your choice.
    • Controller: definition of controller, * is a wildcard to allow access to all endpoint.
    • Action: define the action related to the controller, * is a wildcard to allow access to all endpoint.

    Controller and Action definition can be found in the Nodeum API documentation behind each endpoints:

    Multiple rules can be configured to design the authentication you need.

    Request Sample cURL:

    curl --request GET \ 
    --url http://localhost/api/v2/files \
    --header 'Accept: application/json' \
    --header 'Authorization: LVKRd3vybo4WQ7fDzwMJ6Q'

    Bearer authentication (also called token authentication)

    Provide your bearer token in the Authorization header when making requests to protected resources.

    It is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources:

    Authorization: Bearer <token>

    Similarly to Basic authentication, Bearer authentication is recommended to be used over HTTPS (SSL).

    The Bearer authentication has the requirement to have the Nodeum Administration console configured in JWT mode.

    Request Sample cURL:

    curl --request GET \
    --url http://localhost/api/v2/files \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
    Where eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
    is a jwt token.

    Related Categories

    API Security

    You may also like:

    Let Us Know What You Thought about this Post.

    Put your Comment Below.

    Learn and grow with award-winning support and a thriving community behind you.

    Get the free version