I have integrated a payment gateway in my application.I am exposing a REST API for a Payment Gateway to use it as a callback function, in this case how can I secure the Exposed Rest API ?
Hi Kona,
Did you already search the Outsystems documentation, because it mentions ways how to make your exposed REST API's secure.
Does the Payment gateway not give you rules on how to secure your REST services?
-- Daniel
Hi @Daniel Kuhlmann ,yes I have gone through the documentations as it was a rest exposed API callback. I am not sure how to secure. We don't have any login credentials also. Can you explain us how to solve this .
Like Daniël wrote, the payment gateway very likely gives you detailed instructions on how to secure the REST API it calls. There are many ways to secure an exposed REST API, but if you choose a method that isn't supported by the gateway, it can't succesfully call you. Please check the gateway's documentation, and if you're not sure how to implement what they are prescribing, then you can ask questions here.
Hi @Kona jyothi
While exposing api you have option of On Authentication under Security in properties
You can choose custom or basic to add authentication to your api
After adding authentication
I hope it will help you
Regards
Murali
Hi @Murali Manoharan V ,
The rest exposed API was callback for this applications we don't have any login credentials , So how do I need to configure the basic auth . Can explain in this case.
If you go with basic validation, by default it validates user's outsystem username and password.
Or else if you need some custom validation then select authentication as Custom and do the following steps
1) store some api secret in db
2) pass that in consuming api call's header to validate
3) In exposing area's on authentication use this action to receive header value
4) Compare this action's output with DB's value
5) If it matches move the flow to end, It continues your api flow.
6) If it not matched then raise the exception , it will stop your api flow based on authentication.
Hi @Kona jyothi,
Please refer the below documentation.https://success.outsystems.com/documentation/11/extensibility_and_integration/rest/expose_rest_apis/add_basic_authentication_to_an_exposed_rest_api/
https://success.outsystems.com/documentation/11/extensibility_and_integration/rest/expose_rest_apis/add_custom_authentication_to_an_exposed_rest_api/
Thanks,Vignesh Prakash.
Hi Kona Jyothi,
While exposing the API we have security option called HTTP Security. In the HTTP Security dropdown you can select the option called SSL/TLS option and In that case you have to share the public cert to your consuming client.
You can use custom authentication instead. You can ask authorization token in request header which is generated based on some string like (URL+Parameter) and use secret key to generate the authorization token same method you follow to authenticate the request.