I am learning exposing the REST API. I need to know the best practice for doing authentication logic (custom and basic).
While exploring i understood that authentication need to be in OnAuthentication. But why not to be in OnRequest or OnResponse or Main Logic?
Help to understand better if any documentation is there it will be helpful.
Hello,OutSystems provide two options for Rest API authentication.Its better to use Basic Authentication only if you will use API internally for another application or system but into your organization but you still able to use custom authentication like JWT tokens or any authentication provider after configuring it.
Its custom authentication has some advantages like sending some information into token, you can set expiry period for your token so the system that using API can refresh token every period of time. Also you can send token one time and do number of requests with same token rather than sending username and password for basic auth into each request.
You need to check your authentication inside OnAuthentication before proceeding with API request implementation, so first step to check authentication first if correct proceed with handling request if not authenticate stop execution and send error message without consuming any resources of your server or infrastructure.
Please check this article published by @Kilian Hekhuis which may help you:
https://itnext.io/exposing-an-outsystems-rest-service-with-an-oauth-style-authorization-fded258cbe14
Hi @Lindo D
The best practices for authentication when exposing REST APIs in OutSystems involve using multiple secure and layered mechanisms to protect API endpoints.
Token-Based Authentication
Use an authentication header (e.g., X-AUTH-TOKEN or Authorization: Bearer) containing a secure token and Store DB, which is validated server-side for each request.
Tokens can be personal, time-bound, or dynamically refreshed (such as JWT), enhancing security.
Tokens should be protected and transmitted over HTTPS to prevent interception.
API Keys and Secrets
Implement API key (X-Authentication-Key) and secret (X-Authentication-Secret) headers for authentication.
Store secrets securely; validate both on the server.
Rotate and revoke keys periodically, and never expose secrets in client-side code.
IP Address Whitelisting
Restrict API access to requests coming from a list of allowed IP addresses for an extra layer of security.
Useful for internal APIs or trusted partners, but should not be the only authentication mechanism—combine with tokens or secrets.
Link:
https://success.outsystems.com/documentation/11/integration_with_external_systems/rest/expose_rest_apis/add_custom_authentication_to_an_exposed_rest_api/
https://success.outsystems.com/documentation/11/integration_with_external_systems/rest/expose_rest_apis/add_basic_authentication_to_an_exposed_rest_api/
https://success.outsystems.com/documentation/11/integration_with_external_systems/rest/consume_rest_apis/use_oauth_2_0_client_flow_authorization_in_consumed_rest_api_web_services/
Thanks
Md Mansur
Hi Lindo,
You can perform your authentication check in various places. If you are working with JWTs, you may want to perform the check in each method, so you have the content of the JWT available in the method.
Secondly, you can use On Authentication. The advantage is that it is a clear place to check for authentication when someone studies the code, but it has as downside that the message's content isn't available and you need the HTTPRequestHandler extension to extract info from the message.
Checking the authentication in the On Request is possible as well. But although, unlike On Authentication, you have the message's content available, it's content in plain text, so that doesn't help you much (as opposed to the On Before Request and On After Response of a consumed REST API that has the headers etc. available in seperate lists).
So, personally I'd use either the first option (in every method) or the second (in On Authentication), depending on your use case. If you want to perform a simple authentication check and don't need the content of a JWT, go for On Authentication. If you do need the JWT content, I'd opt for checking inside the method.