App Builder

SalamDa · 2/3/25

How can we structure authentication to securely allow multiple clients to access a REST API (following the documentation at https://developer.adobe.com/runtime/docs/guides/using/creating_rest_apis/)?

Example Swagger file:

{
    "basePath": "/v2",
    "paths": {
      "/ims-validation-endpoint": {
        "get": {
          "operationId": "your-namespaces/default/my-require-gw-validation-web-action.json",
          "security": [
            {
              "clientids_auth": []
            }
          ]
        }
      }
    },
    "securityDefinitions": {
        "clientids_auth": {
          "type": "oauth2",
          "authorizationUrl": "",
          "flow": "implicit",
          "scopes": {
            "write:pets": "modify pets in your account",
            "read:pets": "read your pets"
          },
          "x-client-ids": ["zookeeper", "dogwalker"]
        }
    }
}

Specifically, I have the following questions:

- Where in the Adobe Developer Console (Dashboard) can we define client IDs and scopes defined in the above Swagger.json? Do we need to create a new app for each client to generate a client ID?

- How do we generate the ims_access_token after obtaining the client IDs?

Additionally, I have some clarifications:

- Are "clientids_auth" and "x-client-ids" the same?

- How can I push the Swagger configuration file to the Adobe App Builder?

Thanks

tmj · 2/4/25

Hello, I believe you've posted duplicate questions - https://experienceleaguecommunities.adobe.com/t5/app-builder-questions/io-runtime-rest-api-authentic...

mgoberling-adobe · 2/4/25

1. A new client ID will be made for you when you create a new oauth credential in the developer console. The client ID can be found and copied when looking at the credential's detail page

2. For testing, you can generate a token in the developer console. For generating one in code, specifically NodeJS, you can use the getAccessToken function of aio-lib-ims: https://github.com/adobe/aio-lib-ims/blob/master/src/ims.js#L343. All the values needed for this function can be found on the credential detail page in the developer console

3. "clientids_auth" is the name of the security definition. This is used to apply the definition to a path as seen at the top of the example you provided. This can be anything you want. "x-client-ids" is the specific security definition property Runtime uses to determine which clients are allowed, you must use this property name to specify allowed clients.

4. See here for creating runtime APIs using swagger files: https://developer.adobe.com/runtime/docs/guides/using/creating_rest_apis/#using-swagger-files

SalamDa · 2/6/25

Thanks @mgoberling-adobe

I was wondering if there is a way we can create multiple sets of oAuth credentials outside the context of integration with a specific API in a workspace.

tmj · 2/10/25

Hello, I took another look at the question. The client ids mentioned in the linked doc are not the same client ids you get from the Developer Console. I believe putting the clients in the spec will provision them, and you can simply start using them. Could you try?

SalamDa · 2/11/25

Hi @tmj

"app.config.yaml"

Screenshot 2025-02-11 at 11.30.25 AM.png

And the swagger file:

{
  "basePath": "/v1",
  "info": {
    "title": "get-pets",
    "version": "1.0.0"
  },
  "paths": {
    "/pets": {
      "get": {
        "operationId": "35582-commerce1app-development/runtime-app/get-pets.http",
        "security": [
          {
            "clientids_auth": []
          }
        ],
        "responses": {
          "default": {
            "description": "Default response"
          }
        },
        "x-openwhisk": {
          "action": "get-pets.http",
          "namespace": "35582-commerce1app-development",
          "package": "runtime-app",
          "url": "not-used"
        }
      }
    }
  },
  "securityDefinitions": {
    "bearerAuth": {
      "type": "apiKey",
      "name": "Authorization",
      "in": "header"
    },
    "clientids_auth": {
      "type": "oauth2",
      "authorizationUrl": "",
      "flow": "implicit",
      "scopes": {
        "write:pets": "modify pets in your account",
        "read:pets": "read your pets"
      },
      "x-client-ids": [
        "client_id_123",
        "client_id_456"
      ]
    }
  },
  "swagger": "2.0"
}

For deployment:

aio app deploy

When I requested the API endpoint without authentication in the header, it returned a 200 status. It executed the action normally, so the "require-gw-validation" was not applied to the endpoint.

GET /apis/35566-commerceapp-development/v1/pets HTTP/1.1

I am unsure if there is another way to force the deployment of the Swagger setting to the Runtime action. Also, How can I generate the access token for the endpoint above, including the scopes: "write:pets" and "read:pets"?

Thanks

OlgaKo6 · 2/19/25

I don't see the apis being deployed as shown above. There is no "security" definition in what is deployed. Are you sure you deployed the api definitions? See https://developer.adobe.com/runtime/docs/guides/using/creating_rest_apis/#using-swagger-files for the process.

App Builder

IO Runtime Rest API Authentication

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe