Implementing authentication for the Content Delivery Web service or a Web site

This topic describes the authentication framework that you can use to enable affiliate Web sites to interact securely with your published, SDL Tridion-based Web site, and with the Content Delivery Web service.

The following overview shows how the framework is set up:

  • An SDL Tridion administrator creates and manages client accounts for affiliate Web sites. Such accounts consists of a client ID (username) and a client secret (password), and may also include a set of named parameters called authorization attributes. They are configured in the Content Delivery Web service configuration.
  • The SDL Tridion administrator communicates the account information to the administrator of an affiliate Web site in person (for example, by e-mail or over the phone), as well as the URLs of the secure token service and of the Content Delivery Web service or Web site.
  • To connect to the secure Web service or Web site, a Web application on the affiliate Web site first sends a request to a secure token service, supplying the client ID and client secret:

    • The client ID is supplied as a query parameter to the URL called client_id.
    • The client secret is suppied either as a value for the HTTP header called Authorization, or as a query parameter called client_secret.

    If the credentials are valid, the secure token service sends back an HTTP response containing an access token and the token's expiration time.

  • The affiliate Web site then extracts the token from the response and, when sending HTTP requests to the Web service or Web site, sets the HTTP header called Authorization to this value. To validate these incoming requests, use a request validator. SDL Tridion ships with a built-in request validator that implements OAuth 2.0, but you can replace it with your own by changing the value of the RequestValidator element (a fully qualified Java class name). The request validator is configured in the Ambient Data Framework configuration.
  • In SDL Tridion's OAuth implementation, two parameters are shared between the secure token service and the request validator: the shared secret and the token expiration time. If you provide your own request validator, you can provide your own parameters.

To set up this framework, perform the following configuration tasks:

Managing client accounts

Client accounts are managed in the <Accounts> section in the Content Delivery Web service configuration, cd_webservice_conf.xml. Each client account is an Account element with the following attributes:

id
A client ID for this account
password
A client secret for this account

The Account element can also have an AuthorizationAttributes child element containing one or more Param elements. These Param elements are named, typed parameters with a Name, Type and Value attribute.

Configure shared information

In the default implementation, the secure token service and the Web service or Web site share the following information:

  • A shared secret, configured as a SharedSecret element (a string)
  • A token expiration time, configured as the timeInSeconds attribute of an optional TokenExpireTime element

Configure the SharedSecret and TokenExpireTime elements, with identical values, in two configuration files:

  • as child elements of the AuthenticationServer element in the Content Delivery Web site configuration in cd_webservice_conf.xml
  • as child elements of the RequestValidator element in the Ambient Data Framework configuration in cd_ambient_conf.xml. This element is inside the Security element, which by default is commented out. Now, remove the comment delimiters.