Delegated Authorization

Overview

Delegated Auth is a way for the authentication headers to be captured and returned in an encrypted text. This text can then be used to authenticate future requests. The primary use case is for VC UI. This allows for a request to be made through salesforce through the Named Credential to generate this encrypted text. This text can then be passed into the VC UI to act as an authentication token for future requests without having to go through salesforce for each request.

Setup

Delegated auth is available on API Proxies who have ApiProxies__x__DelegatedAuthEnabled=true and on Proxies who have Proxies__x__DelegatedAuthEnabled=true in the app settings.

Usage

After being enabled, a new endpoint /auth-payload will be available on the Api Proxy path. Calling this endpoint will return JSON that includes the encrypted auth payload as well as the expiration time. The encrypted auth can then be used in future requests by populating the x-enosix-authorization header in place of other authentication. For Proxies, new query param link-function=auth-payload is added that included encrypted auth token. The encrypted auth response matches that of the Api Proxy.

SAP client

If sap-client is provided when calling the /auth-payload endpoint, the SAP client value will be included in the encrypted payload. An encrypted payload with the SAP client baked in will require that value to be included in future calls that use the delegated auth header. If the caller does not provide the matching client, they will get a 403 response.

ExpirationSeconds

If the optional expirationSeconds query parameter is included when calling the /auth-payload endpoint, the authorization token will expire after the supplied value number of seconds have expired. If the query is omitted or the value is non-numeric, the default value of 3600 seconds (1 hour) will be used. This can be useful for testing how an expired authorization token is handled without the need to wait the default number of seconds.