The PowerServer Web APIs can include a built-in authentication server which can be used easily to authenticate the installable cloud apps. You can select which of the following authentication server to be built into the PowerServer Web APIs. And since the authentication server is built into the PowerServer Web APIs, it has the same root URL as the PowerServer Web APIs and it runs automatically when the PowerServer Web APIs runs.
-
Use built-in JWT server: Includes a built-in authentication server that supports JWT or bearer tokens. See Using JWT for more information.
-
Use built-in OAuth server: Includes a built-in authentication server based on IdentityServer4 framework that works with the OAuth 2.0 authorization flows. See Using OAuth 2.0 for more information.
-
Use built-in AWS Cognito server: Includes a built-in authentication server that works with the Amazon Cognito user pool. See Using Amazon Cognito for more information.
-
Use Azure Active Directory service: Includes templates for working with Azure AD or Azure AD B2C. See Using Azure_Active_Directory_service for more information.
-
Use other authentication servers: Includes templates that can be easily extended to support the other identity providers that work with the OAuth flows or JWT, such as Okta OIDC (OpenID Connect). See Using other authentication servers for more information.
-
The client sends the user name and password (from the INI file or login window) to the authentication server.
-
The authentication server validates the user (against the DefaultUserStore.cs file, the authentication database, or the LDAP server); and if validation is successful, it authorizes and returns a token to the client.
-
The client sends a request that includes the token to the PowerServer Web APIs.
-
The PowerServer Web APIs validates the token with the authentication server; and if validation is successful, it gets data from the database.
The following tokens are supported:
-
JSON Web Token (JWT) (recommended)
-
Bearer token
For OAuth 2.0, the following authorization flows are recommended:
-
Client Credentials
-
Resource Owner Password
The PowerBuilder client application will implement the authentication process (such as getting a valid token, accessing data with the token etc.) using the PowerBuilder RestClient, OAuthClient, JsonParser, TokenRequest, and TokenResponse objects, and the Application.SetHttpRequestHeader function. See the code example in the following sections for more details. And it calls the Application.BeginSession function to create the user session in a manual way (instead of the automatic way) in order to include the token information. See the "Start session manually by code" section for more details.