How does one manage the authorization of their API calls (i.e. passwords etc)?
1 Like
Are you talking about outgoing calls? In this case, I can give you explanation regarding M7899 and M10074.
If you are talking about incoming calls for REST endpoints or REST processes @Joost can probably give you the required information.
For REST end point, authentication can be set for each individual end point. It works the same both for REST Data Definitions (GET requests to read data) and REST Processes (for calling processes and modifying data).
It can be found at More > Authentication.
There are three levels of Authentication that all have different functionality and needs.
Service authentication for Novulo REST End points
Service authentication is the primary layer of authentication.
It defines how any user that has access to the URL of the end point, can access the end point.
There are two options (as of April 2024).
- Basic
- Impersonation
Basic authentication for REST endpoints
Basic Authentication is used for HTTP Basic access Authentication using a Novulo username and password - the same as you log on with.
Please note that it must be a username ans password stored in the application you are accessing - it is not linked to SSO access.
The REST End point is then executed with the Rights Profile linked to that user. As the REST End point does not have a GUI, it means that only database rights are used. It means that the end point will not return data or will not be able modify data if the user has no database rights.
Impersonation for REST endpoints
Impersonation makes that end points are publicly available without authentication. The user provided here, is the user that is used in Novulo to execute the end point requests. This is, just like with basic authentication, linked to the rights profile.
Website user authentication
Website user authentication is a second layer of authentication, which is used to provide a Website user with the end point, using Novulo M5167. Website users are designed to be used for your customers and suppliers who are using your website; it is not the same type as a Novulo user.
This is typically used for “My website”-environments. Here, the token stored by the Website user, is provided as a Bearer token in the header UserAuthorization.
When provided, a parameter %website_user becomes available in the context of the REST Definition. This allows you, as a End point developer, to filter out data linked to the contact of this specific Website user. For example, to show order history for a specific customer.
It works together with the Service authentication. Service authentication is strongest and effectively restricting data access. Website user is used on top to distinguish users.
CORS Headers
Cross-origin resource sharing (CORS) is not authentication in the way that it effectively controls access, but it can be used to specify headers which are recognized by all common web browsers.
Entering hosts that may access the end points will then provide the headers, which can also be seen in Postman, but it will not prevent anyone from accessing your end point.
2 Likes
Thank you for your explanation! It is very helpful. I’m also noticing that the default value for authentication can be changed from impersonation to basic in the application I’m working in. So now, every time I make a new endpoint, the authentication is set to basic. How could I have changed the default setting myself?
Hi Mila, you can’t.
Authentication is Basic by default to prevent you from accidentally creating an end point with Impersonation.
Typically, Impersonation is a very active choice as you provide an end point open to the world. Given that creating end points is just configuration, this will not be changed.