API authorization
Authorization Process flow chart diagram
API Maker has defined the authorization settings based on API categories. The main API categories are,
- Instance API access settings
- Third party API access settings
- System API access settings
- Custom API access settings
- Secret access settings
Here, we discuss all the APIs authorization settings in details.
Instance API access settings
At the instance, user can define the access settings in three different level.
If the access settings are not provided it will check for the default access settings in secret.
There are two possible values of apiAccessType.
- When you set
IS_PUBLIC
this API should be publicly available. - When you set
TOKEN_ACCESS
this API should require a token to access. - Provide API User token in the
x-am-authorization
header.
Third party API access settings
User can define the API access settings at API and API Version level.
- When users provide access settings at the API level, it should be applied only to that particular API.
- The access settings provided at the API version level should apply to all APIs available in that API version.
If the access settings are not provided it will check for the default access settings in secret.
- When you set
IS_PUBLIC
this API should be publicly available. - When you set
TOKEN_ACCESS
this API should require a token to access.
System API access settings
API Maker user can set the authorization settings in each of the system API.
If the access settings are not provided it will check for the default access settings in secret.
- When you set
IS_PUBLIC
this API should be publicly available. - When you set
TOKEN_ACCESS
this API should require a token to access.
Custom API access settings
Every custom API has the settings in which users can define the authorization. You can provide 'authTokenInfo' in the settings.
If the access settings are not provided it will check for the default access settings in secret.
- When you set
IS_PUBLIC
this API should be publicly available. - When you set
TOKEN_ACCESS
this API should require a token to
Secret access settings
All the above APIs does not have access settings it will check access setting of the default secret. If the access setting is available in the secret it will apply in that APIs.
- If there authTokenInfo is provided then in the common object of the secret, in every API user needs to provide the required token until it's not overridden.
- You can define the authTokenAM, authTokenAMDB and AWS, Azure, Google authorization details in the 'authTokenInfo'.
- API Maker users can also define the required token objects as we define in the above code AWS Token, Azure token, Google token which can be use in single-sign-on.
Database user authorization
- When it required to provide database user authorization you can set the below code in the setting.
- If the code is set in the default secret it's token required in every instance APIs.
authTokenInfo: <T.IAuthTokenInfo[]>[
{
authTokenType: T.EAuthTokenType.AM_DB,
authTokenAMDB: {
"instance": "INSTANCE_NAME",
"database": "DATABASE_NAME",
"collection": "COLLECTION_NAME",
"usernameColumn": "USER_NAME_COLUMN",
"passwordColumn": "USER_PASSWORD_COLUMN"
}
}
],
AWS authorization
To get the value of request header x-aws-authorization
, use g.req.auth.authAWS
.
The auth AWS code provide in the settings.
Sample object
{
"authTokenType": "AWS",
"authTokenAWS": {
"cognitoUserPoolId": "POOL_ID",
"region": "YOUR_REGION",
"tokenExpiration": 200,
"tokenUse": "access",
"sourceFieldOfUniqueId": "__TOKEN_OBJECT_FIELD_NAME__",
"groupsDataSource": {
"instance": "INSTANCE_NAME",
"database": "DATABASE_NAME",
"table": "COLLECTION_NAME",
"targetFieldForUniqueId": "UNIQUE_COLUMN_NAME",
"groupsColumn": "COMMA_SEPARATED_GROUPS",
"select": {
"COLUMN_NAME1": 1,
"COLUMN_NAME2": 1
}
}
}
}
- You will get 'cognitoUserPoolId', 'region' data are from the AWS.
- The 'sourceFieldOfUniqueId' is the field name which you will get after opening AWS token, mostly it holds user email address.
- Provide the groups name comma separated in the 'groupsColumn' field and provide the 'instance', 'database', 'table' from which that 'groupsColumn' exist.
- The 'targetFieldForUniqueId' is your database field which contains the exact same value as the 'sourceFieldOfUniqueId' has.
- In 'select' you can define the column name which you want to get in the response.
Azure authorization
- To get the value of request header
x-azure-authorization
, useg.req.auth.authAzure
.
Sample object
{
"authTokenType": "AZURE",
"authTokenAzureAD": {
"appId": "__CLIENT_ID__",
"tenant": "__TENANT_ID__",
"audience": "",
"issuer": "",
"sourceFieldOfUniqueId": "__TOKEN_OBJECT_FIELD_NAME__",
"groupsDataSource": {
"instance": "INSTANCE_NAME",
"database": "DATABASE_NAME",
"table": "COLLECTION_NAME",
"targetFieldForUniqueId": "UNIQUE_COLUMN_NAME",
"groupsColumn": "COMMA_SEPARATED_GROUPS",
"select": {
"COLUMN_NAME1": 1,
"COLUMN_NAME2": 1
}
}
}
}
- You will get 'appId', 'tenant', 'audience' and 'issuer' data are from the Azure.
- The 'sourceFieldOfUniqueId' is the field name which you will get after opening Azure token, mostly it will be "preferred_username" because it holds user email address.
- Provide the groups name comma separated in the 'groupsColumn' field and provide the 'instance', 'database', 'table' from which that 'groupsColumn' exist.
- The 'targetFieldForUniqueId' is your database field which contains the exact same value as the 'sourceFieldOfUniqueId' has.
- In 'select' you can define the column name which you want to get in the response.
Google authorization
To get the value of request header x-google-authorization
, use g.req.auth.authGoogle
.
Sample object
{
"authTokenType": "GOOGLE",
"authTokenGoogle": {
"clientId": "YOUR_CLIENT_ID",
"sourceFieldOfUniqueId": "__TOKEN_OBJECT_FIELD_NAME__",
"groupsDataSource": {
"instance": "INSTANCE_NAME",
"database": "DATABASE_NAME",
"table": "COLLECTION_NAME",
"targetFieldForUniqueId": "UNIQUE_COLUMN_NAME",
"groupsColumn": "COMMA_SEPARATED_GROUPS",
"select": {
"COLUMN_NAME1": 1,
"COLUMN_NAME2": 1
}
}
}
}
- You will get 'clientId' data are from the Google.
- The 'sourceFieldOfUniqueId' is the field name which you will get after opening Google token, mostly it holds user email address.
- Provide the groups name comma separated in the 'groupsColumn' field and provide the 'instance', 'database', 'table' from which that 'groupsColumn' exist.
- The 'targetFieldForUniqueId' is your database field which contains the exact same value as the 'sourceFieldOfUniqueId' has.
- In 'select' you can define the column name which you want to get in the response.