Securing REST Services
If your REST service is accessing confidential data, you should use authentication for the service. If you need to provide different levels of access to different users, also specify privileges needed for the endpoints.
This chapter assumes that you have previously generated REST service classes as described in the chapters “Using the /api/mgmnt Service to Create REST Services,” “Using the ^%REST Routine to Create REST Services,” or “Using the %REST.API Class to Create REST Services.”
Setting Up Authentication for REST Services
You can use any of the following forms of authentication with IRIS REST services:
HTTP authentication headers — This is the recommended form of authentication for REST services.
Web session authentication — Where the username and password are specified in the URL following a question mark.
OAuth 2.0 authentication — See the following subsection.
REST Applications and OAuth 2.0
To authenticate a REST application via OAuth 2.0, do all of the following:
Configure the resource server containing the REST application as an OAuth 2.0 resource server.
Allow delegated authentication for %Service.CSP.
Make sure that the web application (for the REST application) is configured to use delegated authentication.
Create a routine named ZAUTHENTICATE in the %SYS namespace. InterSystems provides a sample routine, REST.ZAUTHENTICATE.mac, that you can copy and modify. This routine is part of the Samples-Security sample on GitHub (https://github.com/intersystems/Samples-Security). You can download the entire sample as described in “Downloading Samples for Use with InterSystems IRIS,” but it may be more convenient to simply open the routine on GitHub and copy its contents.
In your routine, modify the value of applicationName and make other changes as needed.
Also see “Optionally Defining Delegated Authentication for the Web Client” in the chapter “Using an InterSystems IRIS Web Application as an OAuth 2.0 Client” in Using OAuth 2.0 and OpenID Connect.