Connector authentication and authorization

You need a way to verify the identity of your users and to control what users are allowed to do after they connect to an application through your connector. To do this, you need to configure authentication and authorization. If you created a connector by using an OpenAPI document, then the authorization method is imported. If you created your connector from scratch, then you need to specify the type of authorization, and the fields a user needs to complete to access your connector. Refer to the application's REST API to ensure that you configure an authorization method that the application supports.

Authorization methods

The following authorization methods are available. A connector can have more than one type of authorization method. Click each method for more information about the fields that you need to update to configure the connection properties correctly.

Note: Currently, when a connection is created in Connector Development Kit using invalid credentials for an authorization method (except OAuth2 authorization code method), a notification is displayed stating that a connection was created successfully. This is a known limitation in Connector Development Kit, and IBM is in the process of rectifying this issue. Meanwhile, you can use the Test tab to validate if you have an actual connection to your connector.

Authorization method Description
Basic Basic authentication is a simple method for securing access to web resources. It involves transmitting a username and password, often in an encoded form, in the request headers. This authorization method typically requires a username and password for authentication.
Bearer token Bearer token authentication is a method used to secure access to protected resources, such as APIs. In this approach, a bearer (access) token is provided to authorized users or applications, which is then included in the request headers. This authorization method requires a security token that is called a bearer token for authentication.
API keys API key authentication is a security method used to control access to an API. It involves issuing a unique API key (an alphanumeric code) to authorized users or applications. This authorization method requires a security key such as an API key, access token, client ID, and client secret for authentication.
OAuth2 authorization code OAuth 2.0 authorization code authentication is a secure method used for granting access to user data or resources. It involves a multistep process where a user is redirected to a trusted authorization server to log in and grant permission to a third-party application. A client ID and secret are required in addition to the user signing in to the application's website for authentication.
OAuth2 implicit OAuth2 implicit authentication is a simplified version of OAuth2 used for securing web and mobile applications. Instead of an authorization code, this approach directly provides an access token to the application after the user grants permission. A client ID is only required in addition to the user signing in to the application's website for authentication.
OAuth2 password OAuth2 password authentication is a method used to allow a user to directly provide their username and password to an application, which then uses these credentials to obtain an access token from the authorization server. This access token is used to access protected resources. This authorization method does not redirect to the application's website. It requires a username, password, client ID, and client secret for authentication.
OAuth2 client OAuth2 client authentication is a method used to verify the identity of a client application that wants to access protected resources. The client provides its credentials in the form of a client ID and client secret to the authorization server. This authorization method does not redirect to the application's website. It requires a client ID, and client secret for authentication.

Basic

The Display name and Property fields are populated. Update the display name if required and indicate whether the password field is a required field by selecting the Required checkbox.

Basic authorization
Figure 1. Basic authorization

Bearer token

The Display name and Property fields are populated. Update the display name if required.

Bearer token authorization
Figure 2. Bearer token authorization

API key

The Display name and Property fields are populated. Update the display name if required and indicate whether the display name is a required field by selecting the Required checkbox. In the Location field, select whether the API key is sent as part of the request query, header, or cookie. If you're not sure, refer to the applications REST API for the answer.

To add another property, click Add connection property +. You can have a maximum of two connection properties only for the API key authorization method.

API key authorization
Figure 3. API key authorization

OAuth 2.0

For the OAuth 2.0 methods, you need to update the following fields:

Field Description
Authentication URL The website address that is used to verify the identity of the user who wants to connect to your connector. For OAuth2 authorization code and implicit only.
Token URL The unique website address that contains a security token to verify the user's identity and ensures that they have access to use the connector's resources. To obtain this value, refer to the OAuth 2.0 section of the applications REST API. For OAuth2 authorization code, password, and client only.
Refresh URL (optional) The URL that automatically reloads the webpage when you access it. Useful if your connector's website has frequent updates. To obtain this value, refer to the OAuth 2.0 section of the applications REST API.
Redirect URL Use the value provided here when requested by your connector's application.
Scopes (optional) Specify the data that you ask to access on behalf of the user. Users of your connector need to verify their consent when they connect to the application. For a list of scopes, refer to the connectors API documentation.

For example:

OAuth 2.0 authorization code example
Figure 4. OAuth 2.0 authorization code example