webMethods

 View Only
Expand all | Collapse all

How to restrict access to different resources in a restful API to consumers?

  • 1.  How to restrict access to different resources in a restful API to consumers?

    Posted Tue February 27, 2024 09:40 AM

    If I have a restful API with 2 resources in an API -

    • POST /r1
    • PATCH /r2

    The API is protected with x-Gateway-APIKey request header.

    Consumer 1 is allowed to access only /r1, and consumer 2 is allowed to access only /r2.
    How to achieve the same?
    With OAuth, I can restrict the consumers with scoping, however the API is to be protected only with x-Gateway-APIKey request header.

    Please sugggest.


    #REST
    #webMethods
    #API
    #authorization
    #apigateway
    #authentication


  • 2.  RE: How to restrict access to different resources in a restful API to consumers?

    Posted Wed February 28, 2024 04:32 AM

    Hi @mofarhan,
    As you said this can be easily achievable using OAuth scope.

    The other option i could think of is to create the scope for each resources .
    Under each scope use the identify and authorize policy.
    Under authorize policy we should use API key and header name to authenticate the request.

    In my use case i created an application and inside the application we have 2 headers one for each resource.

    And now when i am invoking the request I am passing the header also apart from API key.
    And this should get validated.

    I am attaching the sample API along with application for you reference.
    WorkflowAPI.zip (13.3 KB)
    WorkFlowApplication.zip (12.7 KB)

    Curl command used for testing the API:
    curl --location --request POST ‘http://replaceWithTenantName/gateway/WorkflowAPI/1.0/2mEU92D7mY’ \

    –header ‘Content-Type: application/json’ \

    –header ‘Accept: application/json’ \

    –header 'x-Gateway-APIKey: c31bc8ba-1299-4034-badf-1c118abaa786 ’ \

    –header ‘CustomerResourceID: 11223344’

    Let me know if this solves your usecase problem.

    Regards
    Vikash Sharma


    #authorization
    #REST
    #apigateway
    #authentication
    #webMethods
    #API


  • 3.  RE: How to restrict access to different resources in a restful API to consumers?

    Posted Wed February 28, 2024 05:26 AM

    @Vikash_Sharma1 Thanks. Let me go through your solution. However, the product version I use is 10.7 and I am not able to import the same. I get this error - Importing an archive failed.
    The selected archive is not supported by this API Gateway version. The archive was exported from API Gateway version: 11.0. If possible, please export them using a lower version.


    #authentication
    #REST
    #webMethods
    #apigateway
    #API
    #authorization


  • 4.  RE: How to restrict access to different resources in a restful API to consumers?



  • 5.  RE: How to restrict access to different resources in a restful API to consumers?

    Posted Wed February 28, 2024 06:32 AM

    Great. Crystal clear. Thanks for your support each time.


    #apigateway
    #API
    #authentication
    #authorization
    #webMethods
    #REST