Provide Support for Secure API Authentication #4249
Assignees
Labels
enhancement
New feature or request
help wanted
Extra attention is needed
p2
Non-critical bugs, and features that help organizations to identify and reduce risk
technical debt
Comments
VinodAnandan
added
enhancement
|
I would like to work on this issue. |
2 tasks
|
@dhfherna Thank you very much for offering your help so promptly; I truly appreciate it. These are just initial thoughts and ideas. I believe it would be beneficial to debate and discuss further before moving forward with implementation. I’ll also reach out to other DT team members for their feedback on this issue. In the meantime, if you have any questions or alternative ideas, please feel free to share them here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Behavior
Currently, we are utilising API keys, which are considered to have lower security compared to other secure API authentication methods.
Proposed Behavior
We should allow the external and centralised Authorisation Server (e.g., Keycloak) to handle the authentication and authorisation of clients in addition to API keys; it should be either API keys or centralised authentication.
So in practise, client will first authenticate with Authorisation Server using secure authentication mechanism like (OAuth 2.0 Client Credential Grant with Private Key JWT, OAuth 2.0 Client Credential Grant with Private Key JWT+DPoP, etc. ) and Keycloak will issue an access_token for the client, the client will use short lived access_token to call DT API endpoints. DT API will validate if the token issued by the trusted Authorisation server or not.
To enable this I think the DT should allow the JWKS endpoint for the Authorisation Server as a configuration and option to enable external secure API Auth.
Checklist
The text was updated successfully, but these errors were encountered: