Reputation: 36
express-gateway API key management
I have API backend and it will be consumed by different consumers like our own company website and even other website can use our API with certain quota/limitation and for this scope management we will be using express-gateway(eg), however this is not the only reason I am using express-gateway(eg). Now coming to my problem/miss-understanding, for our own website we can create api-key and user credentials using eg command. But for the other user who wishes to use our api, I don’t want them to contact me for this integration, rather they should be able to create a user credentials and API key themselves using some facility (let us call it key management) provided by us. Here I am stuck how to give a web platform or any other mechanism where a user can create account and then create api-key for their own website. I was thinking to extend the express-gateway app itself and create page where a website owner can fill the form with various input field that will serve as parameter for eg command and I can trigger eg command in node console and create credentials and save it in redis database and then fetch those information to show it to user as their use rid and api-key. But I want to know the best way how others are doing, like how google, twitter and many more are allowing to create api-key, delete key and regenerate the api-key on compromise. Some suggestion would be to use third party tool to manage user-credentials, I will have little inertia to accept that, even if I do so how will I hook those third-party solution to my express-gateway.
Upvotes: 0
Views: 339
Answers (1)
Reputation: 2406
In general, API gateways and authentication servers are independent, or at least loosely-coupled. The typical workflow is:
- A user browses to the Create Account page for a service.
- The user creates an account with the authentication server
- The user makes a request through the API gateway
- The API gateway checks with the authentication server whether the operation is allowed, discarding it if the user is not authorized to perform the requested action
- The API gateway dispatches the request to the appropriate server
- The receiving server checks whether the user is permitted to perform the action (in case the API gateway has been compromised)
Express Gateway includes its own authentication server for convenience, but the steps are basically the same. The difference is that one uses the Express Gateway Admin API to create the user and credentials rather than going to a different server.
Note that Express Gateway and its default account database (reddis) are not persistent out of the box.
Upvotes: 1
Related Questions
- Azure API Management Developer Portal
- API gateway and app backend authentication
- Suggestion on Api Access with Express-Gateway, and User authentication with JWT
- Does IBM APIConnect work with 3rd party gateways
- How to Create Bluemix Secure Gateway from rest api
- I wonder about a secure gateway of IBM using a web socket?
- Query related to Bluemix Secure Gateway Client on DataPower
- Bluemix API Management, secure the API implementation
- IBM API Management and Secure Gateway
- IBM API Management Service - How to bind a SSL profile to a Proxy API?