Developer Documentation Library > Web API > Web API application > Configuring the Web API > DPM authentication configuration
 
DPM authentication configuration
The \Site\Properties\WebApi\Authentication properties collection controls the authentication of clients. Clients can authenticate by using either an OAuth2.0 Bearer token or an API key.
OIDC configuration
Clients can authenticate by setting an “Authorization” HTTP header variable to “Bearer” followed by an access token. The Web API checks that the access token is valid by using the properties under \Site\Properties\WebApi\Authentication\Oidc. It contacts the “Authority” URL which is the OpenID Connect provider that issued the access token. By default, the result of that verification are cached, to avoid contacting the OpenID Connect provider for every request.
Authority
The URL of the OpenID Connect provider that issued the access token. This must be the same URL that the client used to request the access token for verification to be successful.
ClientId
The client id used for authentication when accessing the introspection endpoint of the OpenID Connect provider. For the UNICOM Intelligence “Oidc” OpenID Connect provider, this must be intelligence_web_api.
ClientSecret
The client secret used for authentication when accessing the introspection endpoint of the OpenID Connect provider. For the UNICOM Intelligence “Oidc” OpenID Connect provider, this must be F621F470-9731-4A25-80EF-67A6F7C5F4B8.
EnableValidationResultCache
True: The result is cached for the number of seconds that is specified by the ValidationResultCacheDuration property, which defaults to 5 minutes.
False: The result of verifying an access token is not cached. Every request to the Web API causes an associated request to the OpenID Connect provider to verify the access token. This means that revocation of the access token by the OpenID Connect provider can occur immediately; otherwise, the Web API continues to accept the access token until the previous result is flushed from the cache.
The default value is True.
RequiredScopes
A list of scopes that the access token is be valid for.
Separate multiple scopes by using a comma.
The default value is intelligence_web_api.
ValidationMode
Always set to ValidationEndpoint. This causes a request to the OpenID Connect provider to verify the access token.
ValidationResultCacheDuration
Applies only if EnableValidationResultCache is True.
Specifies the length of time (in seconds) that a validated access token is cached for.
Longer durations cause less requests to the identity provider to validate the access token, but will mean the access token is valid for longer after the user logs out, and causes the access token to become invalidated at the identity provider.
The default value is 300 seconds (that is, 5 minutes),
API keys configuration
Clients can authenticate by setting an “Api-Key” HTTP header variable to the name of a properties collection under \Site\Properties\WebApi\Authentication\ApiKeys.
To avoid frequent DPM accesses, the information for each API key is cached. The caching is controlled by the following DPM properties under \Site\Properties\WebApi\Authentication\ApiKeys.
CacheFlushInterval
The interval (in seconds) between flushing of the cache to remove API key data that has expired.
The default value is 60 seconds.
CacheTimeout
How long (in seconds) that API key is valid.
If the API key is used again, the data is read from DPM again. Because of this caching, any API-key that is removed from DPM is valid until this CacheTimeout period expires.
The default value is 300 seconds (that is, 5 minutes).
The name of any properties collection that is under \Site\Properties\WebApi\Authentication\ApiKeys is taken as the name of an API key. Use a name that cannot be easily guessed. Any client application authenticating by using an API key must securely store the value of the API key.
In the API Key property collection, there must be a single property called “UserName” which is the name of a user configured in User Administration. Any client request that uses that API key executes as that user.
All other properties in a properties collection are ignored; you can add others that might be useful to you. For example, you can add a “Description” property to store a reminder of what application is using that API key.
See
Configuring the Web API
Web API application