Question

43
Views
Ben Neal (Benneal92)
The Hartford
Pega BPM Developer
The Hartford
US
Benneal92 Member since 2017 6 posts
The Hartford
Posted: June 14, 2021
Last activity: June 14, 2021
Posted: 14 Jun 2021 12:08 EDT
Last activity: 14 Jun 2021 14:52 EDT

Best Practice to secure REST API

Hi all,

Our team is looking to get the best approach to secure our REST service. We are authenticating based off of clientId and clientSecret passed in the headers. 

Based on what I have seen this might be accomplished through a custom authentication service and activity.

We looked at OAuth2.0 but that does not seem to meet our needs since we are not using a temporary token and basic authentication is based on userID/password which is similar but not exactly what we are doing.

Worth noting that our service is being proxied by IBM API connect so the credentials are being validated there also.

 

How should we store clientId and clientSecret securely? Hoping to reuse a table/feature in Pega that is already providing encryption as opposed to providing encryption ourselves.

How should this activity be implementedShould we create an operator ID to tie to our REST service? From other authentication services we see an operator ID is opened and passed as a parameter on pyOperPage but is this the best practice for an integration?

If we dont use an Operator Id how do would we set the authorization once authenticated?

 

Thanks for any guidance!

***Edited by Moderator Marissa to update Platform Capability tags****
Pega Platform 7.4 Security Data Integration Insurance System Architect