For external management systems (API clients) that get access to the platform through the APS bus, the platform supports authorization using one of the following ways:
The OAuth Core 1.0 Revision A (hereafter OAuth-1.0a) protocol as described in the OAuth 1 Authorization document.
The OAuth 2.0 Authorization Framework with the OpenID Connect extension as described in the Authorization through IDP document.
In this document:
API clients can access the platform only through a brand endpoint with the activated APS booster using the HTTPS protocol.
If your platform is in production, it must already have a UI node or UI cluster with the APS booster available through HTTPS. If it does not, follow the platform deployment guide to setup the UI cluster with the APS booster.
To verify if REST requests go through the APS booster, check HTTP headers in a response message. One of them must be
X-APSBooster-Response:true
.
In your lab system, if you do not want to configure a separate UI node for simplicity, configure a UI with a brand endpoint directly on the management node.
In the provider control panel, navigate to Infrastructure > Service Nodes, and make sure the management node (for example, a.isv1.apsdemo.org) is in the Ready to provide state.
Navigate to System > Settings and click Brands on the screen.
Click Add New Brand and in the Domain field enter the domain name of the management node, that is, the same domain name you see in the browser address string. for example, “a.isv1.apsdemo.org”.
Click Next and on the next screen, click Finish.
After the above configuration, get access to the platform through the HTTPS protocol, for example:
https://a.isv1.apsdemo.org
.
When using HTTPS in your browser and REST client, you may meet the following cases when your action is rejected:
The REST client does not accept a self-signed certificate from your test platform.
If you use a REST client as a plugin in your browser, first get access to the platform from your browser using HTTPS and accept the SSL certificate. Then switch back to your REST client. Now it will accept the SSL certificate.
If your REST client is a separate application, turn off the SSL certificate verification in the application settings.
If you have reinstalled your test platform under the same domain name and you cannot log in to the platform control panel through your browser or REST client, the most probable cause is the cookies stored in the browser or the REST client from the previous installation making messages similar to “Your session has expired…” pop up regularly. Clear the old cookies received from the server and try again.
The platform allows the provider to have multiple resellers of various levels that need to access REST API to implement various integration scenarios such as CRM or Billing integration. To allow those systems to get access to the platform, the provider should consider the following ways:
Directly through the provider’s or a reseller’s access point as explained in the Set Up HTTPS Access to the Platform section.
Through a third party API gateway, for example, Microsoft API gateway, using the benefits of a specialized service.
Note
The second way is recommended, as a specialized API gateway usually provides numerous features to improve the quality of API services, for example, by rejecting improper requests and using API analytics tools.
The provider uses the following platform features to control access through an API gateway:
The system property APS OAuth API Gateway URL specifies an API gateway integrated with the platform. The property is configured for every reseller separately in the reseller control panel (RCP).
The security privilege OAuth APS Bus Access assigned through a security role to a user allows the latter to manage or only view the APS Bus Access user configuration.
Access to the APS bus through the API gateway is allowed on behalf of a user authenticated through the OAuth protocol, as explained in the Set Up the User’s Credentials section.
The following is a typical scenario of setting and using an API gateway for a reseller.
The provider subscribes to a third-party API gateway service and configures the acquired gateway to forward APS REST requests to the platform.
Note
The provider must ensure that the API gateway forwards its domain name in the
X-Forwarded-Host header.
It must be the host name specified by the client in the Host
header.
In the simplest configuration, the API gateway forwards all REST requests containing the /aps/2/resources/
prefix
in the URL.
The provider configures other API gateway specific services, for example, security restrictions and API analytics.
The provider logs to the RCP on behalf of the reseller who requires an API gateway, then navigates to System > Settings and in the Systems Properties enters the API gateway URL in the APS OAuth API Gateway URL property.
As explained in the Set Up the User’s Credentials section, the provider or an authorized reseller staff member creates and configures a user with a generated Key and Secret pair and a list of REST operations allowed on the APS bus for that user. The reseller’s external systems will use those credentials to send REST requests.
A reseller’s external system can send the allowed REST calls through the API gate using the pair of OAuth Key/Secret for authentication and authorization. For example:
GET https://api.gate-provider.test:10443/aps/2/resources
The platform security system accepts an incoming request if its OAuth signature in the Authorization
header
is based on the correct gateway URL as configured by the respective APS OAuth API Gateway URL property.
Note
If an API gateway URL is configured for a reseller, the platform does not accept APS requests coming in any way other than through that gateway from any system authenticated as a user of that reseller.
Recursively, a reseller can downstream the APS OAuth API Gateway URL property to sub-resellers. A reseller’s staff member can configure it themselves in their own reseller account if they are granted the “System Configuration”=”Manage” privilege.