Understanding Communication Between CentraSite and API-Portal
CentraSite provides a secure platform for access token generation and management.
An API Runtime Provider might want to restrict the API usage by enforcing the access tokens. If the API that's exposed in API-Portal enforces access token, a user gets an option to request for an access token of type API key or OAuth2. The API access token request for an API is a three step process in CentraSite.
1. Client creation process: Whenever a client requests an access token for an API in
API-Portal,
CentraSite receives the request for the API access token, and processes the request.
CentraSite checks if the client who made the access token request already exists in the
CentraSite registry. If the client already exists in the registry, then
CentraSite generates an access token entry in the registry. However, if the client does not already exist in the registry,
CentraSite performs the client creation process. During this process
CentraSite registers the client as a member of the consumer organization configured for the registered
API-Portal in the
CentraSite registry. For more information about the
Consumer Organization property for a registered
API-Portal, see
Registering an
API-Portal Gateway with
CentraSite .
2. Access token generation process: After a client (API-Portal user) is successfully created in the registry, CentraSite generates the access token and usage details for the API.
If an approval process is configured fro access token generation, CentraSite initiates the approval process and submits the client's request to the designated group of approvers. Approvers receive the approval request in the Pending Approval Requests of the API details page. Approvers whose user account includes a valid email address also receive an email message informing them that a request is awaiting for their approval. CentraSite does not execute the client's requested operation until it obtains the necessary approvals. If an approver rejects the request, the requested access token is not generated.
3. Notification process: If the access token generation is successful, CentraSite returns a success message to the API-Portal and notifies the client (including data that is pertinent to the access token validity and usage of the API) through email.
Similarly, when those clients subsequently request for renewal or revocation of the access key, CentraSite verifies the client credentials, performs the requested operation, and notifies the API-Portal and client.
Points to keep in mind when API-Portal is jointly used with CentraSite:
When a client requests for an access token from the
API-Portal,
CentraSite generates an User object entry in the registry that describes the client, and then stores the user entry in the repository. This user will not be allowed to log into
CentraSite or perform any operation in
CentraSite.
CentraSite automatically associates the users with the
API-Portal's
Consumer Organization. This
Consumer Organization property, which is configured during the registration of an
API-Portal with
CentraSite, specifies the organization to which the new user will be added.
The consumer organization owns the users from an
API-Portal. You cannot delete this consumer organization, unless you belong to a
CentraSite Administrator role.
You cannot delete an
API-Portal user from the registry, unless you belong to a
CentraSite Administrator role.
If your user account belongs to the API Runtime Provider role for an organization, you automatically have permission to renew or revoke access keys in that organization. If your user account belongs to the
CentraSite Administrator role, you have permission to renew or revoke any access key on the server.
