DPM authentication configuration

The \Site\Properties\WebApi\Authentication properties collection controls the authentication of clients. Clients can authenticate by using either an OAuth2.0 Bearer token or an API key.

Clients can authenticate by setting an “Authorization” HTTP header variable to “Bearer” followed by an access token. The Web API checks that the access token is valid by using the properties under \Site\Properties\WebApi\Authentication\Oidc. It contacts the “Authority” URL which is the OpenID Connect provider that issued the access token. By default, the result of that verification are cached, to avoid contacting the OpenID Connect provider for every request.

The URL of the OpenID Connect provider that issued the access token. This must be the same URL that the client used to request the access token for verification to be successful.

The client id used for authentication when accessing the introspection endpoint of the OpenID Connect provider. For the UNICOM Intelligence “Oidc” OpenID Connect provider, this must be intelligence_web_api.

The client secret used for authentication when accessing the introspection endpoint of the OpenID Connect provider. For the UNICOM Intelligence “Oidc” OpenID Connect provider, this must be F621F470-9731-4A25-80EF-67A6F7C5F4B8.

True: The result is cached for the number of seconds that is specified by the ValidationResultCacheDuration property, which defaults to 5 minutes.

False: The result of verifying an access token is not cached. Every request to the Web API causes an associated request to the OpenID Connect provider to verify the access token. This means that revocation of the access token by the OpenID Connect provider can occur immediately; otherwise, the Web API continues to accept the access token until the previous result is flushed from the cache.

Always set to ValidationEndpoint. This causes a request to the OpenID Connect provider to verify the access token.

Longer durations cause less requests to the identity provider to validate the access token, but will mean the access token is valid for longer after the user logs out, and causes the access token to become invalidated at the identity provider.

Clients can authenticate by setting an “Api-Key” HTTP header variable to the name of a properties collection under \Site\Properties\WebApi\Authentication\ApiKeys.

To avoid frequent DPM accesses, the information for each API key is cached. The caching is controlled by the following DPM properties under \Site\Properties\WebApi\Authentication\ApiKeys.

The interval (in seconds) between flushing of the cache to remove API key data that has expired.

If the API key is used again, the data is read from DPM again. Because of this caching, any API-key that is removed from DPM is valid until this CacheTimeout period expires.

The name of any properties collection that is under \Site\Properties\WebApi\Authentication\ApiKeys is taken as the name of an API key. Use a name that cannot be easily guessed. Any client application authenticating by using an API key must securely store the value of the API key.

In the API Key property collection, there must be a single property called “UserName” which is the name of a user configured in User Administration. Any client request that uses that API key executes as that user.

All other properties in a properties collection are ignored; you can add others that might be useful to you. For example, you can add a “Description” property to store a reminder of what application is using that API key.