Skip to content

Security Rest API

The security service was designed to be API first:

  • All operations are exposed from API
  • All APIs are documented with OpenAPI (Swagger)

API organisation

The API is organised into two main URL and four specifications.

URLs

API resources are under Authentication or Authorization URLs. Those names are not accurate today as the API as evolving; originally, the idea were to use Authentication for internal usage for Authentication Web Service and Authorization for managing the authorization and users domains. Currently, this has change slightly and we should read them as:

  • Private API resources are under Authentication URLs. Security is based on API-key.
  • Public API resources are under Authorization URLs. Offers operations for managing all domains. Security is based on OAuth2 (authorization code or client credentials grant types).

OpenAPI Specifications

Authentication

URLs defined under Authentication. As mentioned before, this is an internal set of resources for providing service to Authentication Web Service. Security is based on API-key.

Authorization

URLs defined under Authorization. As mentioned before, this is the public set of resources for providing full access and management of all domains (authentication is just partially offered). Security is based on OAuth2 (authorization code or client credentials grant types).

DataExchange

URLs defined under Authorization. This is the public set of resources for providing data exchange operations: export, import, trigger sync, entity bulk inserts and LDAP sync.

HealthCheck

Resource defined at /health. It the public health check endpoint; it can be accessed without credentials and the current state without details will be returned. When called passing the healthcheck-apikey or with an authenticated user the response contains a detailed report of all check done and their state. This endpoint is developed with Sequel.Core.HealthCheck.