How to configure an user account in outsystems to behave like a service account

Hi, 

I have configured basic authentication in all the APIs exposed in my environment, API consumers are provided with an user account to authenticate themselves while consuming the APIs. My problem now is if any one of the API consumer is trying with an incorrect password, then the user account is getting locked after a configured number of times

https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Protection_against_Brute_Force_Attacks

Is there any other configuration available for user accounts to behave like a service account? I don't want specific user account to get blocked even after incorrect login attempts( only for my API basic auth user accounts).

I noticed few server actions (User_unblock, User_GetBlockedStatus) in the users module, these actions can be used to check the status of API basic auth accounts and unblock them incase the account is blocked by any user due to incorrect login.

Please suggest a feasible & recommended solution to handle the scenario 

Thanks,

KJ 


Hi Karthik,

I'm not sure I understand your scenario. So you have an API that sends a user's username and password, and then inside the REST Method you actually login the user?

I wouldn't do the latter, but instead first use the ValidatePassword Action from the PlatformPasswordUtils. If the password is wrong, don't login the user (but instead send back an error). Thus, the user won't be blocked.

EDIT: As an afterthought, I wouldn't use Basic Authentication for normal REST APIs anyway. It's far better to use an OAuth2 approach: have a single REST service that uses Basic Authentication and returns a token, then use that token to validate.


Kilian Hekhuis wrote:

Hi Karthik,

I'm not sure I understand your scenario. So you have an API that sends a user's username and password, and then inside the REST Method you actually login the user?

I wouldn't do the latter, but instead first use the ValidatePassword Action from the PlatformPasswordUtils. If the password is wrong, don't login the user (but instead send back an error). Thus, the user won't be blocked.


Hi Kilian,

I have enabled Basic authentication in all the APIs exposed in my environment. All my API consumers are shared with an user account to configure at their end while consuming my APIs. When one of the consumer attempts to access the API with an incorrect username & password  multiple times, the account is getting blocked which is impacting other consumers. 

I dont want this to happen so that there will not be any outage due to the blocked user account.

Please advise. Thanks




Solution

Hi Karthik,

Like I wrote, you shouldn't directly do a User_Login, you should first do a ValidatePassword. Only if the password is correct login the user. It's the User_Login that causes the lock-out.

That said, you shouldn't share a single account across multiple consumers, that's very bad practice! Each consumer should have their own account!

Solution

Kilian Hekhuis wrote:

Hi Karthik,

Like I wrote, you shouldn't directly do a User_Login, you should first do a ValidatePassword. Only if the password is correct login the user. It's the User_Login that causes the lock-out.

That said, you shouldn't share a single account across multiple consumers, that's very bad practice! Each consumer should have their own account!

Thanks Kilian. 


You're most welcome. Happy coding!