Authentication Methods

Web Services connectivity in GENESIS allows to call REST services with various authentication mechanisms. When picking an authentication type, the choice is driven by the type of authentication supported by the REST service that you wish to connect to.

GENESIS can connect to REST services supporting one of these authentication types:

  • None. For REST services that allow anonymous access. This option does not perform any authentication with the REST service.

  • Query String. This is a non-standard authentication mechanism, which passes a username and a password in clear in the query string. This authentication method is not secure, and should be avoided.

  • Basic. This is the standard basic access authentication, where the Web Services Connector will provide a username and a password in the Authorization header with each call. Credentials are passed as a Base64 encoded string, built by joining username and password with a single colon : character. This authentication method should only be used with HTTPS connections, as the credentials are passed in clear text. For more information about basic access authentication, refer to Basic access authentication (external).

  • OAuth 1.0 or 1.0a. This is an older authentication protocol, and is now superseded by OAuth 2.0. OAuth 1.0 is considered insecure, and should be avoided; for more details refer to OAuth Security Advisory: 2009.1 (external). OAuth 1.0a is more secure, but it has been obsoleted in favor of OAuth 2.0. For more information about OAuth 1.0a, refer to OAuth Core 1.0 Revision A (external).

  • OAuth 2.0. This is an industry-standard protocol for authorization. The OAuth framework specifies several grant types for different use cases. For more information about OAuth 2.0 and grant types, refer to OAuth 2.0 (external). GENESIS supports the following grant types:

    • Authorization Code. The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.
    • Client Credentials. The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user.
    • Resource Owner Password. The Password grant type is a legacy way to exchange a user's credentials for an access token. Because the client application has to collect the user's password and send it to the authorization server, it is not recommended that this grant be used at all anymore.

  • NTLM. This is a Microsoft Windows specific authentication protocol, and it allows to authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account.

  • JSON Web Token (JWT). This method can be used for REST services that have a custom authentication flow (not OAuth 2.0), but the result of the authorization is a JWT. GENESIS requires the JWT to contain at minimum the exp (expiration time) claim, in order to determine whether the token has expired or not. For more information about JSON Web Tokens, refer to Introduction to JSON Web Tokens (external).