There's a clear explanation in Appian documentation that we can authenticate web api access in Appian through 3 ways - Basic, API Key and OAuth.
But, I still have some unclarity in two of them. Would really appreciate your help.
Basic Authentication - Need complete details on this type of authentication. How can we configure it in Appian. I know the way how web API can be consumed using these credentials but not configuration settings in Appian. Please clarify.
API Key - What is the real use of creating a Service Account in generating API key. How service account is connected to a web API and third party which is calling web API. How the actual flow and security settings work using this authentication when third party system submits the API call?
Also, is Basic Authentication in Appian enabled by default. Can I disable it if I don't want to follow this method, can we have basic and API key authentication both in Appian configurations but use one of them?
Thanks
Discussion posts and replies are publicly visible
I highly recommend to read the documentation. It will answer most of your questions.
While you cannot disable an authentication method, when you create a service user and use the API key, basic auth will not work for this user.
Keep in mind that authentication for APIs really means two things:
The reason that service accounts are needed for API keys is that all object-level security in Appian is configured using users + groups. So if someone authenticates using an API key, the user context used to evaluate whether they have access to the object or not is based on the service account.
As far as basic authentication, there's no configuration required in Appian to allow authenticating using basic auth - just provide the username and password as part of the request. There's no way to disable using basic authentication (that I'm aware of), but you can still disable it in all practical senses by limiting the security on your Web API to only users in the service accounts group. Then, there wouldn't be any users that could authenticate using basic authentication.
Thanks Peter Lewis for the elaborate response. Just one confusion, for basic authentication, what are the credentials do we provide to client/requestor, is it we create a new basic user account for them in the environment and provide those creds to access or is it something else?
Yes the credentials are just the username + password for the user account. See this sample for a request that uses basic authentication: docs.appian.com/.../Web_API_Authentication.html
Thanks Peter Lewis, that helped.