How to authenticate AEM APIs?

Forum|Forum|3 years ago
July 28, 2022
2 replies
1977 views

We are using AEM as content service and exporting AEM content into mobile application. For example below api will be used in mobile application and Mobile application will build the presentation layer.

/content/we-retail/us/en/products/women/shirts/jcr:content/root/content-tile.model.json

Here I basically want to authenticate AEM API before I serve the json response. In essence, I want to only accept requests from mobile applications. I should the request If anyone else calls AEM. Can anyone tell me what are ways we can protect the AEM APIs

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by Sachin_Arora_

Ideally there should not be performance hit but planning performance testing would give a clear picture. I don't think it can be controlled at dispatcher level as Authorization would be happening in AEM i.e. the last point mentioned in my previous comment screenshot.

Sachin_Arora_

Community Advisor

Basically you need a JWT which will help in Authentication.

For AEMaaCS you can follow these steps.

Link :

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/developing/generating-access-tokens-for-server-side-apis.html

For On-Prem AEM this document should help :

https://medium.com/tech-learnings/how-to-manage-the-protected-aem-resources-through-oauth-2-0-851ce4c7a5ef

Mario248Author

Level 7

Thanks for your response. I think JWT seems looks in my case, as it involves system to system authentication. Do you have any reference on this works in AEM model java class?

Question - Seems every request hit publish to verify the access code and token code. Is this hit performance ? Can we manage this at dispatcher level ?

Sachin_Arora_

Accepted solution

Community Advisor

Ideally there should not be performance hit but planning performance testing would give a clear picture. I don't think it can be controlled at dispatcher level as Authorization would be happening in AEM i.e. the last point mentioned in my previous comment screenshot.

Nikhil_Verma

Level 4

I find this question very interesting, its a basic requirement and has various options.

Few cents from my side based on your use case:

Do you need to export user specific content from AEM publish? For example, user profile details, user orders, etc.
If you do need to export user specific from AEM, then Token auth (OAuth2) is the way to go. This is the same auth mechanism mentioned by @sachin_arora_. Here's Adobe docs with videos explaining how to implement it: https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/authentication/overview.html?lang=en
Do you need to export only public content from AEM? For example, content meant for public consumption such as website images, content fragments, etc. If you need to export only public content from AEM, then I would ask if authentication is needed at all since the content is exposed to public anyway?
The above points are based on the assumption that you are exporting content from AEM publish. Is this assumption correct?

Mario248Author

Level 7

Thanks for your response. I want to export AEM /content into other system. At the end it will be available to user but client dont want to access the AEM content publicly rather it should be accessible by third part system and they will process the content and give to public use.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded