Authentication Options of the API Portal
To let your developers log in to your API Portal, you can choose from the following means of authentication:
For e-mail and password log in, the portal supports reCAPTCHA to avoid robots signing up to your portal; additionally, you can configure the portal to validate email addresses.
Sending lost password reset requests is also supported; you only have to supply the API Portal with SMTP credentials.
Any type of authentication which you have configured for the Portal can also be used for authenticating the use of any API registered in the API Portal. Wicked will federate any type of login to a standard OAuth 2.0 flow, e.g. to an Authorization Code Grant, or the Implicit Grant. This also applies to logins using SAML. Your applications only need to implement generic OAuth 2.0, all other login types are federated by Wicked.
For simple machine to machine communication, you can also use plain API Keys.
Credentials, i.e. API Keys or Client ID and Client Secret are generated for each application and per API subscription automatically, depending on how you choose to secure your API.
Need other means of authentication? File an issue on GitHub and tell us.
Wicked from version 1.0.0 on packs a feature rich Authorization Server with the installation. The Authorization Server can serve as a full featured OAuth 2.0 Identity Provider, or it can be used the federate identities from a wide range of Identity Providers, such as Google, Twitter, GitHub, ADFS, generic OAuth 2.0 or even SAML.
The Authorization Server can federate these identites to using a standard OAuth 2.0 flow, even if the federated identity provider is e.g. a SAML identity provider.
See also the documentation of the wicked-demo.haufe.io Demo Portal regarding support for the different OAuth 2.0 flows: