Secure Dynamic APIs

Deprecated

Secured API feature is disabled since ACE 24.4 version

Recommended way to secure Dynamic APIs is described in Security page.

Approach below requires to configure ACE orchestration service and each individual API operation.

Configuring API

By default, APIs are available anonymously, and to turn on authentication it's necessary to check Secured option on Dynamic API screen.

After this follow below steps to configure runtime service

Configuring ACE runtime

It's necessary to provide following environmental variables in Designer runtime service for authentication to work

• DYNAMIC_API_AUTH_STRATEGY - possible value bearer
• DYNAMIC_API_KEYCLOAK_REALM - Keycloak realm
• DYNAMIC_API_KEYCLOAK_AUTH_SERVER_URL - Keycloak server URL, for example https://keycloak.mysite.com

note

For Keycloak under 17 auth url should have /auth suffix. https://<Your hostname>/auth

Example configuration:

DYNAMIC_API_AUTH_STRATEGY=bearer
DYNAMIC_API_KEYCLOAK_AUTH_SERVER_URL=http://localhost:8282
DYNAMIC_API_KEYCLOAK_REALM=ACE

Restart the service after these env configs are set.

How to test secured api feature.

note

It's typical to have CORS configuration issue, please check if authorization header and Keycloak host is enabled in CORS headers.

Step 1: Select the secured api you want to execute and click "TRY IT OUT". You will see Authorize button on "Try it out" screen.

Step 2: Click on the Authorize button and popup will open. Enter the access token generated from the Keycloak server and press "Authorize".

Please see this documentation to learn how to generate token from Keycloak server. Keycloak User token

Step 3. Execute api as usual and in the curl command you should see the token is passed in Authorization header.

The api will be successful if the access token is valid and otherwise api will fail with 401 status code.