Domorela's Blog: Domorela's REST API: AAA Service
Domorela's API can be accessed by validating administration users in the requests sent. To simplify things and give more security avoiding to send credentials in all queries, Domorela's API allows to use token validation. Thus, the AAA service provides a token to an existing user validating against the API in order to allow that user to use token validation against all of API services.
In order to obtain a token the next requirements are needed:
- access to the Domorela unit from a valid source IP address
- validate against any API service URL using HTTP authentication, that is:
- send a REST query to any SPI service
- include user credentials in the header of the request
- validated user must be an administrator
A token issued by a Domorela unit will be usable only to validate queries against the API of this unit. Nevertheless, after obtaining a token it will be a must store it in a secure place and/or block their use to any unauthorised application, system or device.
After obtaining the token, the user obtains a grace period in which token validation can be used to send REST queries to any API service only on the Domorela unit that issued the token. So there is no need to send user credentials until token expiration.
A token will grant access to the Domorela unit for an established period of days. After reaching the end date, the user must validate again against any of the API service URLs to obtain a new token.
All the validation attempts using tokens will be registered, i.e. accounted, in Domorela's Application Log indicating the origin IP address of all queries. So any activity in the API will be registered allowing forensic analysis in the case of any security breach in which a token could be stolen, or unauthorised access could be gained, from an application, system or device.