Inbound Rest endpoint restricted to OAUTH Authentication

James Proske · ‎12-04-2018

I am having difficulties understanding OAUTH for inbound Rest Requests. I believe I understand the value of OAUTH but must be missing a concept or configuration.

I started with a scripted REST API using basic authentication. This is for a system to system interface and our internal security requires only a single user profile to be able to access this endpoint. To that end we setup an ACL and required the resource to use that ACL, which was granted to the single user profile. This works as advertised as no account other than the one with that ACL (associated through a role) is able to use the endpoint.

What I do not understand is how to constrain my scripted REST API to require OAUTH for authentication and not permit basic authentication. I can create an OAuth API endpoint. Here it requires my username and password to obtain the tokens (refresh and access). The tokens are then used in the header for the REST POST to my endpoint. My questions are:

Is the issued tokens somehow associated to the user that obtained the access token? How/where is this related? I can see by getting tokens with different people and each request uses the proper authentication. What I cannot see is what token goes to what user profile. Sounds like for a security perspective I should be able to see this.

What stops the use of basic authentication. As the user I can still consume the service using basic authentication? Is this normal?

Thanks.

ARG645 · ‎12-05-2018

I agree with you.

An OAuth incoming request will have an Authorization header with Bearer token (basically access token prefiexed with the word Bearer) below is the example

Authorization: Bearer 2Bbl7miNvmzQbqCXYunzTzyfLCW8CSAX4V_

A Basic Authentication request will have an Authorization header that begins with the word "Basic" below is the example

Authorization: Basic QXZhdHVyZVN1cHBvcnRVc2VyOmF2YXR1cmVfMTVVc2Vy

I don know how to tackle this situation if you are using OOB Table API's, but if you are using Scripted Rest API for Inbound requests, then in the script part of the Scripted API Resource put in the below lines of code to restrict Basic Authentication

(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
	
        var headers = request.headers; 
        var authHeader = headers.authorization;
        if(authHeader.indexOf("Basic")> -1)
        {
           return { "response" : "Basic Authenctiaction is not supported"};
        }
	var requestBody = request.body;
	var requestData = requestBody.data;
	// Your code continues .......
	
})(request, response);

Hope this answer will atleast help you achieve some of your requirements.

Thank you,

Aman Gurram

View solution in original post

avivs · ‎03-25-2022

Hi @James Proske

Did you get any official answers from SN about this?

ARG645 · ‎12-31-2018

I Wrote a new Article on this topic.

Restrict an endpoint from Basic Authentication

Randheer Singh · ‎08-07-2023

Hi All, I understand that this is an old thread. But I am putting this below to ensure anyone looking at this thread get the latest update.

There is a platform-provided capability to enforce a specific authentication method for an API.

Please check the API access policy feature.

You have to install the REST API Access Policy plugin (com.glide.rest.policy) plugin. While creating the authentication profile for the API access policy, you can choose the authentication method (Basic Auth, ID Token, Certificate-based Auth, or OAuth). You can optionally also add a policy in the profile to enforce IP/location restrictions.

My esteemed colleague @Jason Nichols has created this awesome video series on YouTube for scripted REST APIs. This series also includes the API access policy feature.

[video]

Thanks,

Randheer