Create authentication profiles in Apigee Integration

You're viewing Apigee X documentation.
View Apigee Edge documentation.

The tasks in your Apigee Integration may require connection to an external application, service, or data source. An authentication profile lets you configure and store the authentication details for the connection in Apigee Integration. You can configure the task to use the stored authentication profile. Creating an authentication profile is a one-time activity, and you can reuse the same profile in multiple integrations.

Create a new authentication profile

To create a new authentication profile, follow these steps:

  1. From the integration designer, click authentication profile settings icon Manage Authentication Profiles.
  2. Click Create New on the Authentication Profiles list page to open the configuration dialog. Enter the following details:
  3. Click Save.

After you save, the new authentication profile is available as an option in the Authorization profile to use dropdown of any task requiring authentication.

Optional. If you have not created an authentication profile prior to configuring an integration task, you can access the profile creation dialog by selecting + Add new authentication profile from the Authorization profile to use dropdown in the task configuration pane. Follow the preceding steps to create a new authentication profile.

Authentication types

The authentication type required to complete an integration task depends upon the authentication configured in the authorization server. The authorization server can be a standalone server or an API that issues credentials to the calling client. Apigee Integration supports the following authentication types:

The following sections describe the configuration properties of the authentication types.

Auth token

The Auth token authentication type uses a token (credentials) for authentication. The credentials are sent to the server in the HTTP Authorization request header in the Authorization: TYPE CREDENTIALS format. To configure this authentication type, set the following properties:
  • Type: Authentication type such as Basic, Bearer, or MAC.
  • Token: Credentials for the authentication type.

If the authentication server requires an SSL/TLS certificate, upload the certificate and the private key.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

JSON Web Token (JWT)

The JWT authentication type uses JSON Web Token (JWT) for authentication. For more information about JWT, see RFC7519. To configure this authentication type, set the following properties:
  • JWT header: Algorithm used to generate the signature.

    Note: You can only specify the HS256 algorithm.

  • JWT payload: A set of claims. You can use registered, public, or custom claims.
  • Secret: Shared key between the client and the authentication server.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase .

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

OAuth 2.0 authorization code

The OAuth 2.0 authorization code authentication type uses an OAuth 2.0 authorization token for authentication. To configure this authentication type, set the following properties:

  • Authentication endpoint: Endpoint to the application's authentication endpoint. You will be redirected to this URL to review the access permissions for the application. The token will only be generated after access is granted.
  • Token endpoint: Endpoint that grants or refreshes the access token.
  • Client ID: Client ID provided by the authentication server.
  • Secret: Shared secret key between the client (integration) and the authentication server.
  • Scope(s): Scope of the access token. Scopes let you specify access permissions for users. You can specify multiple scopes separated by a single space (" "). For more information, see OAuth 2.0 Scopes for Google APIs.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase in the available field, if required.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

OAuth 2.0 client credentials

The OAuth 2.0 client credentials authentication type uses an OAuth 2.0 authorization token for authentication. This authentication first requests an access token using the client credentials and then uses the token to access the protected resources. To configure this authentication type, set the following properties:

  • Token endpoint: Endpoint that grants or refreshes the access token.
  • Client ID: A unique string provided by the authentication server to the registered client. The Client ID is not a secret, and it is exposed to the resource owner. Use this field along with a client secret.
  • Secret: Shared secret key between the client (integration) and the authentication server.
  • Scope(s): Scope of the access token. Scopes let you specify access permissions for users. You can specify multiple scopes separated by a single space (" "). For more information, see OAuth 2.0 Scopes for Google APIs.
  • Request types: Mechanisms to send the request parameters to the authentication server for fetching the access token. You can specify any of the following request types:

    • Encoder header: Encodes the CLIENT ID and CLIENT SECRET in Base64 format and sends the encoded string in the HTTP authorization header. The remaining request parameters are sent in the HTTP request body.
    • Query parameters: Sends the request parameters in a query string.
    • Request body: Sends the request parameters by using the application/x-www-form-urlencoded content type and UTF-8 charset in the entity-body of the HTTP request.
    • Unspecified
  • Token parameters: Request parameters required to get the token. Specify the values in key-value format where Key is the parameter name and Value is the corresponding parameter value.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase in the available field, if required.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

OAuth 2.0 resource owner password credentials

The OAuth 2.0 resource owner password credentials authentication type uses an OAuth 2.0 authorization token for authentication. This authentication first requests an access token using the resource owner credentials (Username and Password) and then uses the token to access the protected resources. To configure this authentication type, set the following properties:

  • Token endpoint: Endpoint that grants or refreshes the access token.
  • Client ID: A unique string provided by the authentication server to the registered client. The Client ID is not a secret, and it is exposed to the resource owner. Use this field along with a client secret.
  • Secret: Shared secret key between the client (integration) and the authentication server.
  • Scope(s): Scope of the access token. Scopes let you specify access permissions for users. You can specify multiple scopes separated by a single space (" "). For more information, see OAuth 2.0 Scopes for Google APIs.
  • Username: Username of the resource owner.
  • Password: User password.
  • Request types: Mechanisms to send the request parameters to the authentication server for fetching the access token. You can specify any of the following request types:

    • Encoder header: Encodes the CLIENT ID and CLIENT SECRET in Base64 format and sends the encoded string in the HTTP authorization header. Sends the remaining request parameters in the HTTP request body.
    • Query parameters: Sends the request parameters in a query string.
    • Request body: Sends the request parameters by using the application/x-www-form-urlencoded content type and UTF-8 charset in the entity-body of the HTTP request.
  • Token parameters: Request parameters required to get the token. Specify the values in key-value format where Key is the parameter name and Value is the corresponding parameter value.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase in the available field, if required.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

SSL/TLS client certificate only

The SSL/TLS client certificate only authentication type uses only the SSL/TLS certificate for authentication. Upload the required certificate and the private key. To configure this authentication type, upload the following files:
  • SSL certificate: Certificate encoded in PEM format.
  • Private key: Certificate's private key file encoded in PEM format.

    If the private key requires a passphrase, enter the Private key passphrase.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

Service account

The Service account authentication type uses the credentials of a Google Cloud project's service account for authentication. For more information, see Service accounts. To configure this authentication type, set the following properties:

  • Service account: Email of the service account in your Google Cloud project with permission to access your API.

    Note: Make sure to add the Service Account Token Creator role to the service-GCP_PROJECT_NUMBER @gcp-sa-apigee.iam.gserviceaccount.com principal in the service account created for your Cloud project.

  • Scope(s): Scope of the access permissions granted to users. You can specify multiple scopes separated by a single space (" "). For more information, see OAuth 2.0 Scopes for Google APIs.

If the authentication server requires an SSL certificate, upload the certificate and the private key using the file picker. Enter the private key passphrase in the available field, if required.

To find out which tasks support this authentication type, see Compatibility of authentication types with tasks.

Compatibility of authentication types with tasks

The following table lists the authentication types and the corresponding compatible tasks. You can use this information to decide which authentication type to use for a task.

Authentication type Compatible tasks and triggers
Auth token
JSON Web Token (JWT)
OAuth 2.0 authorization code
OAuth 2.0 client credentials
OAuth 2.0 resource owner password credentials
SSL/TLS client certificate only
Service account