Question

IO Runtime Rest API Authentication

Forum|Forum|1 year ago
February 3, 2025
3 replies
1217 views

How can we structure authentication to securely allow multiple clients to access a REST API (following the documentation at https://developer.adobe.com/runtime/docs/guides/using/creating_rest_apis/)?

Example Swagger file:

{
    "basePath": "/v2",
    "paths": {
      "/ims-validation-endpoint": {
        "get": {
          "operationId": "your-namespaces/default/my-require-gw-validation-web-action.json",
          "security": [
            {
              "clientids_auth": []
            }
          ]
        }
      }
    },
    "securityDefinitions": {
        "clientids_auth": {
          "type": "oauth2",
          "authorizationUrl": "",
          "flow": "implicit",
          "scopes": {
            "write:pets": "modify pets in your account",
            "read:pets": "read your pets"
          },
          "x-client-ids": ["zookeeper", "dogwalker"]
        }
    }
}

Specifically, I have the following questions:

- Where in the Adobe Developer Console (Dashboard) can we define client IDs and scopes defined in the above Swagger.json? Do we need to create a new app for each client to generate a client ID?

- How do we generate the ims_access_token after obtaining the client IDs?

Additionally, I have some clarifications:

- Are "clientids_auth" and "x-client-ids" the same?

- How can I push the Swagger configuration file to the Adobe App Builder?

Thanks

Adobe Developer

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

tmj

Adobe Employee

Hello, I believe you've posted duplicate questions - https://experienceleaguecommunities.adobe.com/t5/app-builder-questions/io-runtime-rest-api-authentication/m-p/734812#M171

M

mgoberling-adobe

Adobe Employee

1. A new client ID will be made for you when you create a new oauth credential in the developer console. The client ID can be found and copied when looking at the credential's detail page

2. For testing, you can generate a token in the developer console. For generating one in code, specifically NodeJS, you can use the getAccessToken function of aio-lib-ims: https://github.com/adobe/aio-lib-ims/blob/master/src/ims.js#L343. All the values needed for this function can be found on the credential detail page in the developer console

3. "clientids_auth" is the name of the security definition. This is used to apply the definition to a path as seen at the top of the example you provided. This can be anything you want. "x-client-ids" is the specific security definition property Runtime uses to determine which clients are allowed, you must use this property name to specify allowed clients.

4. See here for creating runtime APIs using swagger files: https://developer.adobe.com/runtime/docs/guides/using/creating_rest_apis/#using-swagger-files

S

SalamDaAuthor

Thanks @mgoberling-adobe

I was wondering if there is a way we can create multiple sets of oAuth credentials outside the context of integration with a specific API in a workspace.

tmj

Adobe Employee

Hello, I took another look at the question. The client ids mentioned in the linked doc are not the same client ids you get from the Developer Console. I believe putting the clients in the spec will provision them, and you can simply start using them. Could you try?

S

SalamDaAuthor

Hi @tmj

"app.config.yaml"

And the swagger file:

{
  "basePath": "/v1",
  "info": {
    "title": "get-pets",
    "version": "1.0.0"
  },
  "paths": {
    "/pets": {
      "get": {
        "operationId": "35582-commerce1app-development/runtime-app/get-pets.http",
        "security": [
          {
            "clientids_auth": []
          }
        ],
        "responses": {
          "default": {
            "description": "Default response"
          }
        },
        "x-openwhisk": {
          "action": "get-pets.http",
          "namespace": "35582-commerce1app-development",
          "package": "runtime-app",
          "url": "not-used"
        }
      }
    }
  },
  "securityDefinitions": {
    "bearerAuth": {
      "type": "apiKey",
      "name": "Authorization",
      "in": "header"
    },
    "clientids_auth": {
      "type": "oauth2",
      "authorizationUrl": "",
      "flow": "implicit",
      "scopes": {
        "write:pets": "modify pets in your account",
        "read:pets": "read your pets"
      },
      "x-client-ids": [
        "client_id_123",
        "client_id_456"
      ]
    }
  },
  "swagger": "2.0"
}

For deployment:

aio app deploy

When I requested the API endpoint without authentication in the header, it returned a 200 status. It executed the action normally, so the "require-gw-validation" was not applied to the endpoint.

GET /apis/35566-commerceapp-development/v1/pets HTTP/1.1

I am unsure if there is another way to force the deployment of the Swagger setting to the Runtime action. Also, How can I generate the access token for the endpoint above, including the scopes: "write:pets" and "read:pets"?

Thanks

K

kopylova

Adobe Employee

I don't see the apis being deployed as shown above. There is no "security" definition in what is deployed. Are you sure you deployed the api definitions? See https://developer.adobe.com/runtime/docs/guides/using/creating_rest_apis/#using-swagger-files for the process.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded