API Identity

API Identity is a new type of API designed to facilitate authentication by password (OAuth Password flow). It replaces OAuth Directory and allows users to modify and handle calls made to authentication servers.

 — Discontinuity notice: OAuth Directory — 

From Release 1901.1.2.0 on, OAuth Directory was discontinued and an API Identity needs to be configured if you want to use the OAuth Password flow. In older releases, OAuth Directory is responsible for authentication in this flow (you can access the documentation on this discontinued feature here).

How it works

API Identities include APIs in their structure, and these APIs have the OAuth and/or Access token validation interceptors with the Password option enabled.

When an app that uses any of these associated APIs requests a password-type access token, a request is made to the API Identity, which handles the call and sends it to the authentication endpoint.

The endpoint that the authorisation service requires from the API Identity depends directly on the environment used to call the OAuth 2.0 API. Therefore, the API Identity and the OAuth 2.0 API should be deployed to the same environment, thus allowing the same API to have distinct behaviours in flows of different environments.

You can see more about API OAuth 2.0 here.

A regular API can be associated with more than one API Identity, and an app may be associated with more than one API. In these cases, the authorisation service will make requests for each associated Identity, on a one-by-one basis. If the password is valid for a given API Identity, the authorisation service will stop executing the remaining requests. In case the password is valid for no API Identity, creating an access token won’t be allowed.

All the body content transferred to the Identity API when the call is made will be sent to the access token request in the Password flow, allowing more possibilities in password authentication. If the call to the API Identity returns a field in the body with the key extralnfo, the content of that field will be present in the extralnfo of the access token generated.

Creating an API Identity

To create a new API Identity, select the Create API identity option in the bottom right corner of the APIs page (in the menu that opens up when you hover the cursor over the + floating button).

criaidentity1

The API creation page will open and you must fill out the required information along the different steps, as in the case of creating a regular API:

createIdentity2
The API Destination (which you can configure clicking on the icon backend icon on the Flows creation step) should be the endpoint where the password will be verified.
criaidentity2 2

Unlike regular APIs, API Identities have the “Identity” field, which enables users to select APIs that have the OAuth and/or Access token validation interceptors, with the Password option enabled.

criaidentity3

Once this is done, publish your API and it will be ready to be used.

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]