The security used in the Campus API Gateway it built upon multiple layers. Those layers break down into:
-
The API Key is the secret key used to authenticate your application to the Campus API Gateway. Within the Developer Portal, this is known as the Consumer Key. The Campus API Gateway will use the key to lookup permissions information in order to determine if a request should be allowed to flow out of the API Gateway and down to the backend Web API Service.
Basic Authentication / Web API Service
Basic Authentication is used to pass Campus LDAP Service Account information down to the backend Web API Services. This information allows the backend Web API Services to determine if there are any special handling needs for the client and adjust it's processing accordingly. For example, an application from the College of Engineer may only be allowed access to student information from the College of Engineering. These credentials allow for that filtering to take place.
Google End User OAuth / Web API Service
Sometimes the End User of the calling application also needs to be known for a call to be properly processed. In those situations, an OAuth system can be used to authenticate the end user and provide credentials to the backend Web API Service. Temporarily, Google can provide this OAuth information as the Campus Identity team works on implementing an OAuth provider specific for our campus needs.