Api Key Authentication from Pasoe Rest Service with Rest protocol in 12.8.4

[Joe Comito]

I am trying to implement ApiKey authentication in my Rest Service.
The Rest protocol I'm using is Rest (not Web) and I'm trying to code the simplest
way to implement using ApiKey.

I have read a lot of documentation and examples. I created a class that checks the header for the ApiKey
and it's part of my project in dev studio.
The Class compiles but the issue is where on the server and what files to use to add my web handle class
so it gets called/used when I call a Get or a Post to my rest service?

I'm using version 12.8.4 and one of the issues was dealing with the documentation with different versions
that show multiple files to set and multiple folders so I'm not sure what is the correct folder and file to set.

Any help would be greatly appreciated.

Thanks,
Joe

 

[peterjudge]

When you're using the REST transport, then web handlers are not involved at all.

For REST, you will need to pass the value of header (I'm guessing) that is used for the API key as an input parameter into the procedure/method you've mapped to the operation, and then process it there.

That said, I would suggest looking into webhandlers - they offer significantly more flexibility that the REST transport.

 

[Stefan]

Beware when using a web handler - if your ApiKey is in the Authorization header, you cannot access it - see https://community.progress.com/s/article/Authorization-header-is-not-sent-in-the-request-to-PASOE

 

[Joe Comito]

Thanks for the information.
Do you have any recommendations on how to use ApiKeys with a Pasoe Rest Service with Rest protocol?
I'm not familiar with Web handlers and reading that article listed in post doesn't look like that is an option anyway.

I'm looking at using type of authentication. Currently my Rest Services have no authentication.
Any recommendations would be appreciated.
Thanks,
joe

 

[Joe Comito]

Thanks for the information.
Do you have any recommendations on how to use ApiKeys with a Pasoe Rest Service with Rest protocol?
I'm not familiar with Web handlers and reading that article listed in post doesn't look like that is an option anyway.

I'm looking at using any type of authentication.
Currently my Rest Services have no authentication.
Any recommendations would be appreciated.

Thanks,
joe

 

[Pierre Gougis]

Hi Joe,

Stefan makes a good point about the Authorization header
limitation in PASOE — this is a known pain point.

For a simple API key approach without touching
the Authorization header, use a custom header instead:

X-API-Key: your-secret-key

Then read it in your ABL procedure

Or if you want to avoid modifying your ABL code entirely,
a gateway layer in front of PASOE handles authentication
before requests even reach your services.

That's often the cleaner approach when you have
multiple services to secure.

Hope this helps.
Pierre — alm77it.com