Authentication and security

Configure authentication and security for REST API integration in Service Definition Framework.

Supported authentication types

Table 1. Authentication types summary
Type Configuration Use case
None Via UI dropdown Public APIs - requires certificate import
OAuth 2.0 Via UI dropdown Client credentials flow with auto token refresh
JWT Via custom headers only Token-based authentication
Basic Auth Via custom headers only Username/password authentication

None authentication

Use this for calling public APIs or APIs that don't require authentication headers.

Important: You must import the certificate of the external API into the OMS keystore before making calls.

Configuration: Select "None" in the Authentication Type dropdown.

OAuth 2.0 authentication - client credentials

Use this for enterprise APIs that support OAuth 2.0 client credentials flow.

Configuration fields

  • Client ID: OAuth client identifier - supports ${property} resolution
  • Client Secret: OAuth client secret - supports ${property} resolution
  • Token URL: OAuth token endpoint - supports ${property} resolution
    • If not specified, defaults to /oauth2/token

XML example

<Authentication Type="OAuth">
  <OAuth>
    <ClientId>${oauth.client.id}</ClientId>
    <ClientSecret>${oauth.client.secret}</ClientSecret>
    <TokenUrl>${oauth.token.url}</TokenUrl>
  </OAuth>
</Authentication>

Property example

oauth.client.id=my-client-id
oauth.client.secret=my-client-secret
oauth.token.url=https://auth.example.com/oauth2/token
Note: Token refresh is handled automatically by the system.

JWT authentication via custom headers

Use this for APIs that require JWT bearer tokens.

Important: JWT is not available in the UI dropdown. Configure using custom headers.

Configuration options

Option 1 - Static token:

<Headers>
  <Header Name="Authorization" Value="Bearer eyJhbGc..."/>
</Headers>

Option 2 - Token from property:

<Headers>
  <Header Name="Authorization" Value="Bearer ${my.jwt.token}"/>
</Headers>

Property file:

my.jwt.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Option 3 - Propagate from incoming request:

<Headers>
  <Header Name="Authorization" Value="#{h:authorization}"/>
</Headers>

Basic authentication via custom headers

Use this for APIs that require username/password authentication.

Important: Basic Auth is not available in the UI dropdown. Configure using custom headers.

Configuration

Option 1 - Static credentials:

<Headers>
  <Header Name="Authorization" Value="Basic YWRtaW46cGFzc3dvcmQ="/>
</Headers>

Option 2 - Credentials from property:

<Headers>
  <Header Name="Authorization" Value="Basic ${my.basic.auth}"/>
</Headers>

Property file:

# Base64 encode "username:password" first
my.basic.auth=YWRtaW46cGFzc3dvcmQ=

Security best practices

  • Always use HTTPS for external API calls
  • Store credentials in properties files, never hardcode
  • Use OAuth 2.0 when available - automatic token refresh
  • Import certificates for "None" authentication
  • Rotate tokens and credentials regularly