Secure API Access with Asgardeo¶
API security refers to the measures and practices used to protect Application Programming Interfaces (APIs) from potential threats and vulnerabilities. APIs are essential for enabling communication and data exchange between different software applications and services, making them a critical component in modern software development. However, their openness and accessibility can also make them targets for various security risks. Authentication and authorization are key aspects of API security. Authentication is ensuring that only authorized users or applications can access the API. This can involve using API keys, tokens, or more advanced authentication methods like OAuth 2.0. Authorization is controlling what authenticated users or applications are allowed to do within the API. Authorization mechanisms restrict access to specific resources and actions based on user roles or permissions.
Organizations using Asgardeo for identity and access management (IAM) can seamlessly integrate it with API Platform as an external key manager. This guide will walk you through setting up API Platform to authenticate API invocations through Asgardeo which is configured as an external key manager.
This guide walks you through the following steps:
- Create an API in Asgardeo.
- Create an application in Asgardeo and consume the Asgardeo API.
- Create an application in API Platform and enable external key manager authentication.
- Invoke the API.
Prerequisites¶
To follow this guide, you need to satisfy the following prerequisites:
- Configured Asgardeo as an external key manager
- If you don't already have an API Proxy in API Platform, create API Proxy.
- Deploy and publish your API.
Step 1: Create an API and an application in Asgardeo¶
Follow the Asgardeo API Authorization guide to create an application and an API in Asgardeo and to enable API authorization.
Note
- Do the following under the protocol tab:
- Select
JWTas the Access Token. - Select the appropriate grant types.
- Copy the client ID and client secret of the application for future reference.
- Select
Step 2: Create an application in API Platform and enable external key manager authentication¶
Follow the steps below to consume the API Platform API and use an external key manager for authentication:
- Sign in to your organization in the API Platform Developer Portal at https://devportal.bijira.dev.
- Click Applications. and then click +Create.
- Enter a name for the application.
- Click Create.
- Click on the newly created application.
- At the top of the application page, under OAuth2 click + Add Client ID.
- Enter the Client ID you copied in step 1.
-
Click +Add.
Note
- You can only use the Client ID in one application.
- This will be visible only to organizations where you have configured external key managers.
-
Once successfully added, you will be shown a dialog which contains the key manager connection data.
- You can click on the Instructions to view instructions to generate an access token.
- Click Subscribe to more APIs button to explore the APIs and subscribe them through the application.
Step 3: Invoke the API Platform API¶
- On the API Platform Developer Portal, go to your application.
- On the top of the page, under OAuth2, click View to see the Token Endpoint URL.
-
Obtain an access token by invoking the token endpoint as follows:
curl -X POST https://api.asgardeo.io/t/orghandle/oauth2/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=password" \ -d "username=<USER_NAME>" \ -d "password=<USER_PASSWORD>" \ -d "client_id=<CLIENT_ID>" \ -d "client_secret=<CLIENT_SECRET>" \ -d "scope=<REQUIRED_SCOPES>" -
Once you receive the access token, you can test invoking the resource using cURL in API Platform.