Implementing authentication for the Content Delivery Web service or a Web site
This topic describes the authentication framework that you can use to enable affiliate Web sites to interact securely with your published, SDL Tridion-based Web site, and with the Content Delivery Web service.
The following overview shows how the framework is set up:
- An SDL Tridion administrator creates and manages client accounts for affiliate Web sites. Such accounts consists of a client ID (username) and a client secret (password), and may also include a set of named parameters called authorization attributes. They are configured in the Content Delivery Web service configuration.
- The SDL Tridion administrator communicates the account information to the administrator of an affiliate Web site in person (for example, by e-mail or over the phone), as well as the URLs of the secure token service and of the Content Delivery Web service or Web site.
To connect to the secure Web service or Web site, a Web application on the affiliate Web site first sends a request to a secure token service, supplying the client ID and client secret:
- The client ID is supplied as a query parameter to the URL called
client_id. - The client secret is suppied either as a value for the HTTP header called
Authorization, or as a query parameter calledclient_secret.
If the credentials are valid, the secure token service sends back an HTTP response containing an access token and the token's expiration time.
- The client ID is supplied as a query parameter to the URL called
- The affiliate Web site then extracts the token from the response and, when sending HTTP requests to the Web service or Web site, sets the HTTP header called
Authorizationto this value. To validate these incoming requests, use a request validator. SDL Tridion ships with a built-in request validator that implements OAuth 2.0, but you can replace it with your own by changing the value of theRequestValidatorelement (a fully qualified Java class name). The request validator is configured in the Ambient Data Framework configuration. - In SDL Tridion's OAuth implementation, two parameters are shared between the secure token service and the request validator: the shared secret and the token expiration time. If you provide your own request validator, you can provide your own parameters.
To set up this framework, perform the following configuration tasks:
- Managing client accounts
-
Client accounts are managed in the
<Accounts>section in the Content Delivery Web service configuration, cd_webservice_conf.xml. Each client account is anAccountelement with the following attributes:id- A client ID for this account
password- A client secret for this account
The
Accountelement can also have anAuthorizationAttributeschild element containing one or moreParamelements. TheseParamelements are named, typed parameters with aName,TypeandValueattribute. - Configure shared information
-
In the default implementation, the secure token service and the Web service or Web site share the following information:
- A shared secret, configured as a
SharedSecretelement (a string) - A token expiration time, configured as the
timeInSecondsattribute of an optionalTokenExpireTimeelement
Configure the
SharedSecretandTokenExpireTimeelements, with identical values, in two configuration files:- as child elements of the
AuthenticationServerelement in the Content Delivery Web site configuration in cd_webservice_conf.xml - as child elements of the
RequestValidatorelement in the Ambient Data Framework configuration in cd_ambient_conf.xml. This element is inside theSecurityelement, which by default is commented out. Now, remove the comment delimiters.
- A shared secret, configured as a