The API Server stores data securely encrypted on the client and in the database.
The certificate is configured when the API server is installed on the IIS.
For more information about configuring encryption, see the One Identity Manager Web Application Configuration Guide.
In this chapter, you will find general policies and conventions, which you must take into account when you create an API.
Detailed information about this topic
In this section, you will find information about handling queries that are sent to the API Server.
Authentication
When a query is sent to the API Server, there is a test to ascertain the success of the primary and, possibly, secondary login in the session for the current project (see Authentication).
NOTE: This test is not done if the API method used by the query is marked as AllowUnauthenticated.
The imx-session-<API project name> cookie is evaluated to allocate the current session.
If a cookie is passed that cannot be associated with an active session in the current process, the security token in the cookie is used to set up a new session (see Session status and security tokens).
If there is no primary login, the API Server tries to establish a database connection through one of the enabled single sign-on authentication modules.
If login cannot be carried out, the process is canceled and the HTTP error code 500 is passed to the client (see Response codes).
Authorizing method access
The API Server checks whether the currently logged in user is authorized to run the method. If the user does not have the required permissions, the process is canceled and the HTTP error code 500 is passed to the client (see Response codes).
Validating the query
The API Server calls the validators stored with the API method one by one. If one fails, the process is canceled and the HTTP error code 400 is passed to the client (see Response codes).
Processing queries (for entity methods)
- GET (for loading entities)
-
Determines the WHERE clause with internal and external filters
-
Loads data from the database
-
Enriches entities with calculated columns
-
Entities in delayed logic mode can be changed with a POST query or deleted with a DELETE query. Entities in this mode are stateless and do not occupy resources on the server after the query has been processed.
Supported HTTP methods:
-
GET (for loading entities)
-
POST (for changing entities)
-
DELETE (for deleting entities)
-
Interactive entities must be created once with a PUT query and after that they obtain their own ID. Use the ID in subsequent queries (POST or DELETE).
Supported HTTP methods:
-
PUT (for creating interactive entities)
-
POST (for changing interactive entities)
-
DELETE (for deleting interactive entities)