2.1.3 Configure Inbound Security - Axway-API-Management-Plus/apim-cli GitHub Wiki
Inbound Security controls how a consuming application must authenticate themselves against the exposed API. The API-Manager support by default: API-Key, OAuth, OAuth (External), AWS-Signing, HTTP-Basic, Passthrough, Custom-Policy
Please note: As of now only the Default Security-Device is supported. That means, you cannot combine multiple security devices and link it to the API.
Most of the fields are self-explanatory, hence only relevant fields are explained underneath the example. As the Security-Profiles configured here are used by the API-Manager, please review the Axway standard documentation for further information: Configure Inbound request settings
Please note:
If no Security-Profile is configured for your API, it defaults to the PassThrough-Profile.
API-Key
To enforce an API-Key from consuming applications setup your API with the following Security-Profile and configure it to your needs.
{
"name":"API-Key secured API",
"path":"/api/v1/apikey",
"state":"unpublished",
"version":"1.0.0",
"organization":"API Development",
"securityProfiles":[
{
"name":"_default",
"isDefault":true,
"devices":[
{
"name":"API Key",
"type":"apiKey",
"order":0,
"properties":{
"apiKeyFieldName":"KeyId",
"takeFrom":"HEADER",
"removeCredentialsOnSuccess":"true"
}
}
]
}
]
}
Explained fields:
"name":"_default" - Don't change this. Will be used to identify this profile, as the main API-Security profile
"isDefault":true - Don't change this. Basically the same as before
"devices" - As of today, only one security device is supported. Don't add additional devices
"order":0 - Don't change this.
"takeFrom" - Can be HEADER or QUERY
OAuth
When your API should be secured by OAuth and the API-Manager should become the OAuth-AuthZ-Server add the following Security-Profile.
"securityProfiles":[
{
"name":"_default",
"isDefault":true,
"devices":[
{
"type":"oauth",
"name":"OAuth",
"order":1,
"properties":{
"tokenStore":"OAuth Access Token Store",
"accessTokenLocation":"HEADER",
"authorizationHeaderPrefix":"Bearer",
"accessTokenLocationQueryString":"",
"scopesMustMatch":"Any",
"scopes":"resource.WRITE, resource.READ",
"removeCredentialsOnSuccess":true,
"implicitGrantEnabled":true,
"implicitGrantLoginEndpointUrl":"https://localhost:8089/api/oauth/authorize",
"implicitGrantLoginTokenName":"access_token",
"authCodeGrantTypeEnabled":true,
"authCodeGrantTypeRequestEndpointUrl":"https://localhost:8089/api/oauth/authorize",
"authCodeGrantTypeRequestClientIdName":"client_id",
"authCodeGrantTypeRequestSecretName":"client_secret",
"authCodeGrantTypeTokenEndpointUrl":"https://localhost:8089/api/oauth/token",
"authCodeGrantTypeTokenEndpointTokenName":"access_code"
}
}
]
}
]
OAuth (External)
Use OAuth (External) when an external Token-Provider like Auth0, KeyCloak, etc. is used. Please make sure, the configured Token-Information Policy is in place, if not the deployment will fail, as the program validates it.
"securityProfiles":[
{
"name":"_default",
"isDefault":true,
"devices":[
{
"type":"oauthExternal",
"name":"OAuth (External)",
"order":1,
"properties":{
"tokenStore":"Tokeninfo policy 1",
"accessTokenLocation":"HEADER",
"authorizationHeaderPrefix":"Bearer",
"accessTokenLocationQueryString":"",
"scopesMustMatch":"Any",
"scopes":"resource.WRITE, resource.READ, resource.ADMIN",
"removeCredentialsOnSuccess":true,
"implicitGrantEnabled":true,
"useClientRegistry":true,
"subjectSelector":"${oauth.token.client_id}",
"implicitGrantLoginEndpointUrl":"https://localhost:8089/api/oauth/authorize",
"implicitGrantLoginTokenName":"access_token",
"authCodeGrantTypeEnabled":true,
"authCodeGrantTypeRequestEndpointUrl":"https://localhost:8089/api/oauth/authorize",
"authCodeGrantTypeRequestClientIdName":"client_id",
"authCodeGrantTypeRequestSecretName":"client_secret",
"authCodeGrantTypeTokenEndpointUrl":"https://localhost:8089/api/oauth/token",
"authCodeGrantTypeTokenEndpointTokenName":"access_code"
}
}
]
}
]
Explained fields:
"name":"_default" - Don't change this. Will be used to identify this profile, as the main API-Security profile
"isDefault":true - Don't change this. Basically the same as before
"devices" - As of today, only one security device is supported. Don't add additional devices
"order":0 - Don't change this.
"takeFrom" - Can be HEADER or QUERY
"tokenStore" - Please provide the name of your token-information policy
"subjectSelector" - Only used, when use-client-registry is turned of.
Invoke policy
If you want to use your own custom-policy to authenticate the consuming application use the following instruction:
"securityProfiles":[
{
"name":"_default",
"isDefault":true,
"devices":[
{
"type":"authPolicy",
"name":"Invoke Policy",
"order":1,
"properties":{
"authenticationPolicy":"Custom authentication policy",
"useClientRegistry":true,
"subjectSelector":"authentication.subject.id",
"descriptionType":"original",
"descriptionUrl":"",
"descriptionMarkdown":"",
"description":""
}
}
]
}
]
If the given Custom-Policy isn't configured in the API-Manager before, you will get an error. I haven't tested, if the internal description-flags will have any impact.