Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

How to authenticate AEM APIs?

Avatar

Level 4
 

We are using AEM as content service and exporting AEM content into mobile application. For example below api will be used in mobile application and Mobile application will build the presentation layer.

 

/content/we-retail/us/en/products/women/shirts/jcr:content/root/content-tile.model.json

 

Here I basically want to authenticate AEM API before I serve the json response. In essence, I want to only accept requests from mobile applications. I should the request If anyone else calls AEM. Can anyone tell me what are ways we can protect the AEM APIs

1 Accepted Solution

Avatar

Correct answer by
Level 7

Ideally there should not be performance hit but planning performance testing would give a clear picture. I don't think it can be controlled at dispatcher level as Authorization would be happening in AEM i.e. the last point mentioned in my previous comment screenshot. 

View solution in original post

5 Replies

Avatar

Level 4

Thanks for your response. I think JWT seems looks in my case, as it involves system to system authentication. Do you have any reference on this works in AEM model java class?

 

Question - Seems every request hit publish to verify the access code and token code. Is this hit performance ? Can we manage this at dispatcher level ?

Avatar

Correct answer by
Level 7

Ideally there should not be performance hit but planning performance testing would give a clear picture. I don't think it can be controlled at dispatcher level as Authorization would be happening in AEM i.e. the last point mentioned in my previous comment screenshot. 

Avatar

Level 4

I find this question very interesting, its a basic requirement and has various options.

 

Few cents from my side based on your use case:

  • Do you need to export user specific content from AEM publish? For example, user profile details, user orders, etc.
    If you do need to export user specific from AEM, then Token auth (OAuth2) is the way to go. This is the same auth mechanism mentioned by @sachinarora. Here's Adobe docs with videos explaining how to implement it: https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/a...

  • Do you need to export only public content from AEM? For example, content meant for public consumption such as website images, content fragments, etc. If you need to export only public content from AEM, then I would ask if authentication is needed at all since the content is exposed to public anyway?

  • The above points are based on the assumption that you are exporting content from AEM publish. Is this assumption correct?

Avatar

Level 4

Thanks for your response. I want to export  AEM /content into other system. At the end it will be available to user but client dont want to access the AEM content publicly rather it should be accessible by third part system and they will process the content and give to public use.