Register a secured API
Application Connectivity allows you to register a secured API exposed by your external solution. The supported authentication methods are Basic Authentication, OAuth, OAuth 2.0 mTLS, and client certificates.
You can specify only one authentication method for every secured API you register.
Additionally, you can secure the API against cross-site request forgery (CSRF) attacks. CSRF tokens are an additional layer of protection and can accompany any authentication method.
NOTE: Registering a secured API is a part of registering services of an external solution connected to Kyma.
Register a secured API
To register a secured API, add a service object to the services section of the Application CR. You must include these fields:
Field | Description |
---|---|
id | Identifier of the service. Must be unique in the scope of Application CR. |
name | Name of the service. Must be unique in the scope of Application CR. Allowed characters include: lowercase letters, numbers, and hyphens. |
displayName | Display name of the service. Must be unique in the scope of Application CR. Its normalized form constitutes a part of the GATEWAY_URL path. The normalized version of displayName in the path is stripped of all non-lowercase, non-alphanumeric characters except hyphens, and of all trailing hyphens. |
description | Description of the service |
providerDisplayName | Name of the service provider |
entries | Object containing service details |
Entries
The entries object must contain the following fields:
Field | Description |
---|---|
credentials | Optional object containing credentials used for authentication. Must be specified for secured APIs. |
targetUrl | URL to the API |
type | Entry type. Use the API type when registering an API. |
requestParametersSecretName | Optional name of a Secret with additional request parameters and headers |
Credentials
The credentials object must contain the following fields:
Field | Description |
---|---|
secretName | Name of a Secret storing credentials |
type | Authentication method type. Supported values: Basic , OAuth , OAuthWithCert , CertificateGen . |
authenticationUrl | Optional OAuth token URL, valid only for the OAuth and OAuthWithCert types. |
Register a Basic Authentication-secured API
This is an example of the service object for an API secured with Basic Authentication:
- id: {TARGET_UUID} name: my-basic-auth-service displayName: "My Basic Auth Service" description: "My service" providerDisplayName: "My organisation" entries: - credentials: secretName: {SECRET_NAME} type: Basic targetUrl: {TARGET_API_URL} type: API
This is an example Secret containing credentials:
apiVersion: v1kind: Secretmetadata: name: {SECRET_NAME} namespace: kyma-systemdata: username: {BASE64_ENCODED_USER_NAME} password: {BASE64_ENCODED_PASSWORD}
To create such a Secret, run this command:
kubectl create secret generic {SECRET_NAME} --from-literal username={USER_NAME} --from-literal password={PASSWORD} -n kyma-system
Register an OAuth-secured API
This is an example of the service object for an API secured with OAuth:
- id: {TARGET_UUID} name: my-oauth-service displayName: "My OAuth Service" description: "My service" providerDisplayName: "My organisation" entries: - credentials: secretName: {SECRET_NAME} authenticationUrl: {OAUTH_TOKEN_URL} type: OAuth targetUrl: {TARGET_API_URL} type: API
This is an example of the Secret containing credentials:
apiVersion: v1kind: Secretmetadata: name: {SECRET_NAME} namespace: kyma-systemdata: clientId: {BASE64_ENCODED_CLIENT_ID} clientSecret: {BASE64_ENCODED_CLIENT_SECRET}
To create such a Secret, run this command:
kubectl create secret generic {SECRET_NAME} --from-literal clientId={CLIENT_ID} --from-literal clientSecret={CLIENT_SECRET} -n kyma-system
Register an OAuth 2.0 mTLS-secured API
This is an example of the service object for an API secured with OAuth where the token is fetched from an mTLS-secured endpoint:
- id: {TARGET_UUID} name: my-mTLS-oauth-service displayName: "My mTLS OAuth Service" description: "My service" providerDisplayName: "My organisation" entries: - credentials: secretName: {SECRET_NAME} authenticationUrl: {OAUTH_TOKEN_URL} type: OAuthWithCert targetUrl: {TARGET_API_URL} type: API
This is an example of the Secret containing credentials:
apiVersion: v1kind: Secretmetadata: name: {SECRET_NAME} namespace: kyma-systemdata: clientId: {BASE64_ENCODED_CLIENT_ID} crt: {BASE64_ENCODED_CERTIFICATE} key: {BASE64_ENCODED_PRIVATE_KEY}
To create such a Secret, run this command:
kubectl create secret generic {SECRET_NAME} --from-literal clientId={CLIENT_ID} --from-literal crt={CERTIFICATE} --from-literal key={PRIVATE_KEY} -n kyma-system
Register a client certificate-secured API
This is an example of the service object for an API secured with a client certificate:
- id: {TARGET_UUID} name: my-client-cert-service displayName: "My Client Cert Service" description: "My service" providerDisplayName: "My organisation" entries: - credentials: secretName: {SECRET_NAME} type: CertificateGen targetUrl: {TARGET_API_URL} type: API
This is an example of the Secret containing credentials:
apiVersion: v1kind: Secretmetadata: name: {SECRET_NAME} namespace: kyma-systemdata: crt: {BASE64_ENCODED_CERTIFICATE} key: {BASE64_ENCODED_PRIVATE_KEY}
To create such a Secret, run this command:
kubectl create secret generic {SECRET_NAME} --from-literal crt={CERTIFICATE} --from-literal key={PRIVATE_KEY} -n kyma-system
Register a CSRF-protected API
This is an example of the service object for an API secured with both Basic Authentication and a CSRF token:
- id: {TARGET_UUID} name: my-csrf-service displayName: "My CSRF Service" description: "My service" providerDisplayName: "My organisation" entries: - credentials: secretName: {SECRET_NAME} type: Basic csrfInfo: tokenEndpointURL: {CSRF_TOKEN_URL} targetUrl: {TARGET_API_URL} type: API
NOTE: It is assumed that the CSRF token endpoint service uses the same credentials as the target API.
This is an example of the Secret containing credentials:
apiVersion: v1kind: Secretmetadata: name: {SECRET_NAME} namespace: kyma-systemdata: username: {BASE64_ENCODED_USER_NAME} password: {BASE64_ENCODED_PASSWORD}
To create such a Secret, run this command:
kubectl create secret generic {SECRET_NAME} --from-literal username={USER_NAME} --from-literal password={PASSWORD} -n kyma-system
Use headers and query parameters for custom authentication
You can specify additional headers and query parameters to inject to requests made to the target API. You can use it with any authentication method.
This is an example of the service object for an API secured with Basic Authentication and including additional headers and query parameters.
- id: {TARGET_UUID} name: my-headers-params-service displayName: "My Headers Params Service" description: "My service" providerDisplayName: "My organisation" entries: - credentials: secretName: {SECRET_NAME} type: Basic targetUrl: {TARGET_API_URL} requestParametersSecretName: {QUERY_PARAMS_SECRET_NAME} type: API
This is an example of the Secret containing credentials:
apiVersion: v1kind: Secretmetadata: name: {SECRET_NAME} namespace: kyma-systemdata: username: {BASE64_ENCODED_USER_NAME} password: {BASE64_ENCODED_PASSWORD}
To create such a Secret, run this command:
kubectl create secret generic {SECRET_NAME} --from-literal username={USER_NAME} --from-literal password={PASSWORD} -n kyma-system
This is an example of the Secret containing headers and request parameters:
apiVersion: v1kind: Secretmetadata: name: {SECRET_NAME} namespace: kyma-systemdata: headers: {BASE64_ENCODED_HEADERS_JSON} queryParameters: {BASE64_ENCODED_QUERY_PARAMS_JSON}
To create such a Secret, run this command:
kubectl create secret generic {SECRET_NAME} --from-literal headers={HEADERS_JSON} --from-literal queryParameters={QUERY_PARAMS_JSON} -n kyma-system
Additional headers stored in the Secret must be provided in the form of a valid JSON document. This is an example of a headers JSON containing one entry:
{"{MY_HEADER}":["{MY_HEADER_VALUE}"]}
Additional query parameters stored in the Secret must be provided in the form of a valid JSON document. This is an example of a headers JSON containing one entry:
{"{MY_QUERY_PARAM}":["{MY_QUERY_PARAM_VALUE}"]}