Provide Support for Secure API Authentication #4249
Labels
enhancement
New feature or request
help wanted
Extra attention is needed
p2
Non-critical bugs, and features that help organizations to identify and reduce risk
technical debt
Current Behavior
Currently, we are utilising API keys, which are considered to have lower security compared to other secure API authentication methods.
Proposed Behavior
We should allow the external and centralised Authorisation Server (e.g., Keycloak) to handle the authentication and authorisation of clients in addition to API keys; it should be either API keys or centralised authentication.
So in practise, client will first authenticate with Authorisation Server using secure authentication mechanism like (OAuth 2.0 Client Credential Grant with Private Key JWT, OAuth 2.0 Client Credential Grant with Private Key JWT+DPoP, etc. ) and Keycloak will issue an access_token for the client, the client will use short lived access_token to call DT API endpoints. DT API will validate if the token issued by the trusted Authorisation server or not.
To enable this I think the DT should allow the JWKS endpoint for the Authorisation Server as a configuration and option to enable external secure API Auth.
Checklist
The text was updated successfully, but these errors were encountered: