Authentication for Authorize gateway endpoints
To enhance security for certain endpoints, the gateway instance can enforce client authentication using a shared secret.
Shared secrets are enforced per gateway instance and not shared between instances. To define a shared secret, use one of the available configuration methods to pass the authentication JSON object to your gateway instance.
Example authentication object:
{
"authentication": {
"type": "sharedsecret",
"keys": ["example-secret-key"]
}
}Configuration properties for the authentication object:
-
type: A constant set tosharedsecret. -
keys: An array containing shared secrets as strings.
|
Secret keys must be at least 128 bits. |
To avoid service interruptions, the gateway instance allows authenticated endpoints to accept multiple, distinct shared secrets at the same time. This allows time to update the gateway instance’s configuration to use a new shared secret.
For example:
{
"authentication": {
"type": "sharedsecret",
"keys": ["example-secret", "example-secret-2"]
}
}After it’s enabled, the gateway instance will require authentication for the following endpoints:
-
/api/authorize -
/actuator/state -
/actuator/metrics-
/actuator/metrics/*
-
Any request made to these endpoints must provide the configured shared secret with the Authorization header.
For example:
curl --location 'http://localhost:8080/api/authorize' \
--header 'Authorization: Bearer example-secret' \
--header 'Content-Type: application/json' \
--data '
{
"parameters": {
"Amount": "990",
"Account": "Basic checking",
"Payment.consentId": "{{consentID}}"
}
}'
|
If you have defined multiple shared secrets for secret rotation, the |
Authentication is not supported for the following endpoints:
-
/actuator -
/actuator/health-
/actuator/health/liveness -
/actuator/health/readiness
-