Hey Appfarm Community!
We would like to use our own REST API from our Appfarm solution, but I don’t see a good way to handle access tokens in a hybrid solution like this. The two approaches that immediately spring to mind are:
- If Appfarm has an Auth API we could call, then we could use Appfarm’s Auth system for this
- We can use our own Auth system, if we can configure Appfarm to use that instead of its own.
But reviewing the docs and the options available, I am worried that neither #1 or #2 can work. How have others solved this kind of issue? What does Appfarm recommend as a best practice in these cases?
I found Web request - Appfarm Documentation and a coworker with Showroom access showed me the referenced example, so that helps!
In order for one of our endpoints to return different data depending on the user though, it looks like we would need to register client ids and secrets for every user in Appfarm, and then continuously update these manually as new users are added? Do we have more automated options?
I’m not sure if I understand correctly what you’re asking for, but you should check out our video series on integrations:
However, in an effort to answer your question: Secrets can be shared across different roles and users, so if you’re using Bearer token for integrations all users can use the same token. You can also send the Appfarm user ID, or some other identification, as a parameter in the request, thereby returning different data to each user.
And regarding the Showroom, you may sign up here:
Thanks, I have signed up and am waiting for access.
I’m not sure that sending separate user IDs in the request is secure though. Anyone with access to our Appfarm solution could grab that single token, switch user ids in the request, and then get access to user data from the API that they should not. For example, think about a Chat system where whenever I call an endpoint to get a list of all of my conversations, I want it to only show me those conversations and not have to create a new endpoint for every user. A secure option here would be creating an auth token per user that the API would use to return appropriate data that user should have access to, and not access to conversations from other users. (There are many more similar examples.)
Based on your answer though, I guess (1) Appfarm only has manual options for creating client ids and secrets, and (2) Appfarm has no options for using a non-Appfarm authorization source. Please correct me if either of these are incorrect!
Access should be granted immediately. Did you press “register here” on the bottom?
Okay, I’m starting to understand what you want to accomplish. Maybe you can use the OAuth2.0 access token in your request? When creating a new secret, you can choose “OAuth 2.0 Value” and get the access token of the logged in user. This secret can then be used in an request, and is specific for the logged-in user. You may also set up whatever authentication you want under Custom Auth under Login config.
Thanks, I have access now!
Your tip combined with Implement third-party authentication - Appfarm Documentation should let us accomplish everything we need to do. Nice!