What tends to be the industry standard for API authentication? I'm looking at implementing an API for CRUD on a member management system and need authentication. I came across this article using JSON web tokens. I've also seen tutorials that mention using session based authentication, as does this one.
What is the industry standard for authentication of users to API access?
EDIT:
Is this article explaining tokens vs session based still relevant? It's over two years old.
I'd say that OAuth 2.0 has taken over as the dominant API credential in use, but it's far from the simplest option.
Related
What are the security practices that differentiate system apis to experience APIs in API lex and layered API architecture
The question is very open but I believe that the more important practice is usually that people want to ensure that System APIs to be called only by previous level APIs and not by users and clients.
I'd like to have a page or a section of information that only is relevant to a specific API. Is that possible in the new portal?
In this case it has to do with information about event data that is sent out (to webhooks) when new items are created and that are then available in operations for the API. If it's not possible to have i an "API-specific" page, where would you put something like this?
I believe in this case you are trying to add some sort of static page or documentation to explain the functionality about a specific API. You may refer to this. As mentioned in the thread, you can try with swagger but in APIM portal it might not work immediately. Microsoft product team has confirmed that they working on improving support for OpenAPIv3. The ETA is about end of September.
However, you may also check the self-hosted gateway feature
The self-hosted gateway feature expands API Management support for hybrid and multi-cloud environments and enables organizations to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
Official Documentation
I'm confused by the preliminary documentation on the OneNote dev blog. Does it mean that a Native App accessing has to use (compile in) a Client ID specific to an individual O365 subscription?
The implication being that an Commercial App would need recompiling for each different O365 customer. Is this the intention?
If so then this severely limits the utility of OneNote Api in O365.
I'm hoping that I've misunderstood, can anyone advise please?
Paul,
Apologies if we confused you with our initial preliminary docs. Definitely not the case. The app ID is relative to the O365 tenant that publishes the app, but you just flip over the switch to say it is a multi-tenant app for it to be able to be consumed by any tenant.
I know CAS and I understand how it works in web applications contexts; now my customer would like to have a SSO system able in managing several applications (both stand alone and web applications)
I saw the RESTful APIs provided by CAS; I'ld like to use these APIs in my scenario but I'm missing how to use them.
Now...let's suppose I have the following applications:
java swing application
visual basic application
web application (Java based)
What I would like to do is to use the CAS APIs in order to do a SSO so that an user logged on one of the previous applications must no more log in on the other. Is this possible? If so...how may I do it?
I guess that the first thing to do is to do the request for a CAS ticket but then....how can I share this ticket between applications? Is there any good way and/or best practice to follow?
Thank you
Angelo
I already replied on the CAS mailing list: https://groups.google.com/forum/?fromgroups#!topic/jasig-cas-user/yhTwvj6-Sko...
Can anyone explain at a beginner-intermediate level the terminology of "bus", "transport" and "endpoint" in the context of an enterprise service bus? I'm a C# developer with a few years experience now, but only just starting working with an ESB.
It seems that the "bus" is effectively a queue to which you can send and receive messages. I'm fine with that. However I'm working on some existing code using NServiceBus and I think if I grokked the "endpoint" and "transport" terminology I'd make a massive leap forward in my understanding.
Let me try to clarify those terms to you:
Bus in context of ESB architecture should not be considered as simple queue for message dispatching. To allow integration of different services, ESB provides much more. Important additional functionalities of ESB:
Routing. Messages can be routed to different services, depending on message content or endpoint specification.
Message Transformations/Mediations between different formats
Transport protocol conversion. ESB should be able to seamlessly integrate applications
that use different transport protocols (JMS, HTTP/S, pure TCP, etc.)
Message enhancement. Messages can be enriched with missing data before further processing.
Security
Management and Monitoring
Those functionalites are provided by services that operate within ESB. Services connect to each other via endpoints - uniform, unique "addresses". Messages dispatched between endpoints are using unified transport (method/protocol that encapsulates message's payload). Application that natively use different transport, need to connect to ESB via suitable adapter - service that will provide necessary transport conversion. This way applications that use ESB are decoupled from each other and don't need to provide conversions themselves.
Of course, those are only very brief descriptions of terms. Remember, Enterprise Service Bus is only catch-term for specific kind of architecture (or concept), but it is not standardized in any way. So specific implementations can be very different from each other.
If you are interested in standardized ESB, you can take a look at JBI (Java Bussiness Integration). There are several open-source implementations of JBI avalable, among them Apache ServiceMix, Mule, OpenESB. Very good introduction to ESB technologies is presented in "Open Source ESBs in Action" book published by Manning.
I would recommend looking at resources related to Enterprise Application Integration (EAI), which revolves around the ESB and various models and patterns used to integrate solutions. Think of it is a GoF for ESB architectures:
http://www.enterpriseintegrationpatterns.com/
and
http://www.enterpriseintegrationpatterns.com/toc.html
All of these patterns would give you an idea of what people use ESB's to achieve and the patterns are useful for providing common pitfalls of do-it-yourself ESB integration. I've learned an immense amount through that book and through people that source from it.