Forge Component
(5)
Published on 22 Jan (4 weeks ago) by João Sousa
5 votes
Published on 22 Jan (4 weeks ago) by João Sousa

Hi there,


I'm using another 3rd party grid component but just came across an issue that should also be familiar with users of AG Grid: if implementing the REST API approach to pull and push content to the server, one would require some sort of authentication, possibly token-based.


Did anyone face similar challenges and if so, which implementations did you use? Any available at the Forge? Were there any customizations required?


Thank you,

Pedro

Pedro,


There are lots of ways to accomplish this, it all comes down to what is required or desired for your specific implementation> here is one sample that might help you: https://www.outsystems.com/forge/component-overview/927/how-to-add-custom-authentication-to-a-rest-api


Stacey

That's right, Stacey. We've decided to go for a token-based authentication, since it seemed to balance simplicity with flexibility - Basic Authentication was out of the question since in our case single sign-on authentication with an external identity provider (using SAML, through the IdP component) was already in place.

Regarding your suggestion we're already making use of the OnAuthentication callback suggested in that sample - thanks for sharing!

I guess what I'm looking for, are more opinions about pros & cons on how this token-based authentication should be further enforced, e.g.:

- should the token be encrypted (i.e. in the remote event of the end-user's workstation being compromised)?
- should the existing ASP.NETSessionID of the user session be reused instead of the token?
- should a further integration be done towards the existing external identity provider, instead?
- should the token/session id be persisted in session only, or in the database as well?


I'm sure that any replies on the above (or anything else that the community might come up with for this scenario) will better guide me in this design. Thank you very much!

Hi Pedro,

For API authentication I have been using JWT (Json Web Token). It’s very simple to implement, its claims based (gives you lots of options) and I only have to create a small backoffice where I can store and manage the private key used to validate the token. There is already a Forge component for the JWT part. 

It’s a one-time developement and you have a solution for all your APIs.

Cheers,

João