Hi community!
I have a question about working with selective deployment zones and the use of REST APIs to expose server actions.
In my use case we have developed an application which consists of separate applications, inside of our OutSystems Cloud based environment. One of these applications has been made available to our clients and is accessible via the public web. The other are internal applications or service applications.
We are planning to deploy the application to another country which uses an OutSystems OnPremise setup, meaning that a potential client facing (public web accessible) app, cannot communicate with the service application directly. To overcome this, I want to use REST APIs which are within the service application and use the server actions. That way I can reuse the existing logic.
My question here is about the security of the REST API. I want to use an App Id and App Secret to validate the origin of the API call. As I have multiple modules I would like to store the credentials at a centralized location so they can be updated easily every period.
If I store the API credentials in another application that will be hosted on the internal server, will I be able to retrieve the API credentials from the API calls OnAuthentication?
I cannot test this at the moment and only have limited time to implement, so want to prepare to the best of my possibilities :D
Hi @Max de Groot ,
If that generic application sits on the same outsystems cloud server as the Service Application, you can always expose a service action or a server action that can be referenced by the Service Application.
I do suggest to make sure that you follow the Architecture Best Practices and have a separate Core Application (without the end user modules) so it follows the recommended architecture.
Regards,
Bryan
Hi Bryan,
Thanks for your input.
I currently have an architecture with a dedicated core module that only consists of data actions and tables and not interfaces. If was thinking about adding a seperate module to this core service application that holds the API keys etc. This would then be hosted on the internal server, within the service application (green square in my drawing).
Max
I see.
Then referencing a server/service action from your Service Application to that module that holds the API Keys, is the way.
In addition to security, you can add your API Keys in your Site Properties and tick the IsSecret. In this way, it will be easy to change the API configurations/keys on different environments. Unless you are saving your API Keys in your database and implementing your own hashing/encryption.