API authentication with Frends
Frends APIs can use four different kinds of authentication:
None - No authentication at all
Basic - Authenticate with HTTP basic authentication
Certificate - Use a client certificate to authenticate (requires use of HTTP trigger, cannot be used with API Triggers)
API Key - Authenticate with an API Key
OAuth2 - Authenticate using OAuth 2.0 bearer Tokens
Note
We strongly recommend to specify and configure API operations to only accept HTTPS request when it is possible to keep the API credentials and other request and response data secure.
Basic authentication authenticates the user either against the Active Directory or the local users. The choice of which one is used depends on the Frends Agent service user. If the agent uses a local user account, users are authenticated against the local machine users. If the agent uses an AD user account, users are authenticated against the AD users. The username and password need to be encoded with UTF-8 before being converted to Base64 for the basic authentication header.
Certificate authentication requires that the client certificate is valid for the Frends Agent user on the Agent machine. Also the issuer for the certificate needs to be found in the Agent user's Client Authentication Issuers certificate store.
API Key authentication uses an API Key together with Ruleset to determine if the client has access to an API URL. More detailed documentation about API Keys can be found from API Keys article.
OAuth2 uses OAuth bearer tokens from registered OAuth applications to gain access to the API. You need to set an API Access Policy to allow access.
If you are using scopes for controlling access to an API, you need to give the required scopes in the Swagger definition. Please note that if you give many scopes to an API Trigger operation, calls will go through if the OAuth token has any of the scopes given.
You will learn more about OAuth in the course Building Frends APIs - OAuth.
The next article is Introduction to API Trigger