You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Confused about Cloud API Authorization Key expiration

Laserfiche API
Updated July 24, 2023
posted on July 19, 2023

In the Cloud API authentication documentation it says that our authorization key is going to expire and a new key will need to be created.

Wouldn't this cause all connections to the API to fail and no longer be able to authenticate. Why would I want this to happen?

https://developer.laserfiche.com/guides/guide_oauth-service.html

0 0
replied on July 19, 2023

As Brian states, it is good security practice to rotate your keys, but you do have the option to create a Service Principal Key with no expiration date.  You'll still want to manually rotate those keys at some interval to maintain a good security posture. 

0 0
View 3 previous replies
replied on July 20, 2023

I can not seem to find the documentation on how to authenticate with a service principal key. We are connecting from On-Prem Workflow, which is a Windows low-code service (the HTTP Post activity).

There are only 3 options available to connect to Cloud

It seems we only fall into the first category.

In this article it only provides either using the access key which expires or HMAC

 

0 0
replied on July 20, 2023 Show version history

When you create your app in the Developer Console and create your Access Keys, they are associated with a Service Principal account, and the generated key will have the same expiration as your Service Principal account (if you set an expiration).  So when you create your app, make sure the Service Principal you use doesn't have an expiration and you won't have to worry about the Access key expiring.

0 0
replied on July 20, 2023 Show version history

Hi Chad,

I have an example of using WF Cloud to call Laserfiche API Cloud. You should be able to adapt it to WF self-hosted:

To get API "Access Token" using the "long-lasting authorization key":

 

And then use the Access Token to call APIs (e.g. get a list of repositories):

 

Note: You can configure the Service Principal key (and related API long-lasting authorization key) to never expire:

 

 

1 0
replied on July 20, 2023 Show version history

I have tried unchecking that box under Account > Settings > Integration Configuration and saving.

However if I view my service principal user an expiration date still shows.

Update: After unchecking the box, you must rotate the key and this part gets updated to show no expiration date. But the configuration for the access token in the developer console shown below is still showing that it will expire. Although we don't even know what an access token is, the password is the access key not the token.

And ultimately what your are using in the Bearer header to login is the Access Key, although this key depends on these other 2 configurations to access the repository.

If I log into my developer console and review my Access Key configuration it still shows an expiration time on the Access Key as well

 

0 0
replied on July 24, 2023

You need to rotate the Service Principal Key for the Expiration Date change to take effect.

Yes, the "Access Token" obtained from the long lasting OAuth application "authorizationKey" will still expire after 720 minutes max (or less based on configuration) and a new one needs to be obtained using the "authorizationKey".

FYI: Laserfiche API Client libraries handle "Access Token" refresh automatically (no explicit user code needed).

0 0
replied on July 24, 2023

Oh I understand this final expiration, this is how much time you have to call your method(s) after requesting the 2nd Bearer token. That is perfectly ok, as long as the primary password does not expire suddenly and without warning.

0 0
replied on July 19, 2023

It's pretty standard practice for API keys to have an expiration time, requiring key rotation. Not having long-lived keys improves security by eventually invalidating any secrets that may have been leaked. It also encourages practices like managing keys separately from code, since you'll want to be able to re-key with minimal redeployment.

0 0
replied on July 20, 2023

What happens at this time? Do connections suddenly fail and wait for human intervention? Is there a grace period rather than waiting for it to timeout? Like a 1 month rotation warning?

I have configured API's with the following services: Google, Bamboo, Freshdesk, Salesforce, NFL, Sage 100 Contractor, and a few others without ever coming across such a concept. There is no sudden failure of the connection or any maintenance that needs to happen to prevent a failure to authenticate. 

0 0
replied on July 20, 2023

You would generate and deploy a new key before the old one expires.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...