Authentication types (security protocols)
An authentication type (security protocol) is the specific method used to establish a secure connection (for example, Basic Authentication and OAuth 2.0). Configuring the appropriate authentication type ensures that users prove their identity and that the system can enforce necessary access controls. This is essential for protecting sensitive data and can ensure compliance with application-level security requirements.
Purpose
When users connect to an application through a connector, they must authenticate themselves using valid credentials and be authorized to access specific resources. Without proper security configuration, users might gain unintended access or fail to connect altogether. The Connector Development Kit supports multiple authentication types to accommodate different application security models.
If you create a connector by using an OpenAPI document, the authentication type and its configuration are automatically imported from the specification. If you build a connector manually, you must explicitly configure the authentication type and define the required connection properties (the credential fields) that users must provide.
Supported authorization methods
Connector Development Kit supports the following authentication types. You can configure one or more methods depending on the requirements of the target application.
| Authentication type | Description | Default connection properties |
|---|---|---|
| Basic | Use Basic authentication to verify user identity with a username and password. The credentials are encoded using Base64 and sent in the Authorization header with the Basic scheme. Because Base64 encoding is not secure, use HTTPS to protect credentials. This method is suitable for simple authentication scenarios where credentials are static and securely managed. | Username, Password, Allow self-signed certificates, and Override server URL |
| Bearer token | Use Bearer token authentication to access protected resources with a security token (a "bearer" of the token). The token is included in the Authorization header using the Bearer scheme. This method is commonly used with OAuth 2.0 and other token-based systems. Always transmit bearer tokens over HTTPS to prevent unauthorized access. | Token, Allow self-signed certificates, and Override server URL |
| API key | Use API key authentication to authorize access with a unique alphanumeric key. The key can be passed in the request header, query parameter, or cookie. This method is flexible and easy to implement but does not support scopes or token expiration unless custom logic is added. Use HTTPS to protect the key and avoid exposing it in URLs. | API key, Allow self-signed certificates, and Override server URL |
| OAuth2 authorization code | Use OAuth 2.0 to enable secure, delegated access to resources. OAuth 2.0 supports multiple flows to meet different security and application requirements. In OAuth2 authorization code, the user is redirected to an authorization server to log in and grant access. The server returns an authorization code, which is exchanged for an access token. This is recommended for server-side applications for maximum security. | Authentication URL, Token URL, Refresh URL, Redirect URL, and Scopes |
| OAuth2 implicit | OAuth 2.0 implicit is a simplified flow that returns an access token directly after user authorization, without an authorization code. Suitable for browser-based or mobile applications. It is considered less secure than OAuth2 authorization code. | Authentication URL, Refresh URL, Redirect URL, and Scopes |
| OAuth2 password | OAuth 2.0 password allows users to provide their username and password directly to the client application. The application uses these credentials to request an access token from the authorization server. This method does not involve redirection and is typically reserved for highly trusted clients (for example, applications owned by the service provider). | Token URL, Refresh URL, Redirect URL, and Scopes |
| OAuth2 client | OAuth 2.0 client credentials are used for server-to-server authentication. The client application provides its client ID and client secret to obtain an access token. This method is used to grant access to resources owned by the client itself. | Token URL, Refresh URL, Redirect URL, and Scopes |