Authorisation and Authentication
Security is always a significant consideration when working with any online service. The REST API works with security in two ways: authorisation and authentication.
- Authentication proves that the user is who they say they are.
- Authorisation verifies that the user is authorised to make the call.
Most calls to FME Server for example require authorisation. The REST API uses tokens to prove the user is permitted to make the call to the server. A token is a string of encrypted information that is sent between the client and the server. Token Security will not be as secure as other methods, as the security of the system depends on controlling access to the tokens.
Examples of Authorisation:
There are different types of authorisation used by web services and FME supports all of the common connection types.
Inline Token:
The example below shows how a token is included as a value within the query string part of the web request. This is a common approach used by many web services that do not require high levels of security.
http://datapoint.metoffice.gov.uk/public/data/val/wxfcs/all/xml/350361?res=3hourly&key=1c9be7zb-a555-40cd-b132-501193f2b423
Request Header:
Similar to the inline token approach, but rather than the query string being used the authorisation header element of the HTTP request is utilised to pass the string in.
Authorization header example used by JIRA
OAuth2:
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.
OAuth provides a robust level of security and is used for connections to Microsoft 365 services like SharePoint or OneDrive and ESRI ArcGIS Online within FME.
Spotify OAuth API guidance
FME Web Connections:
Whilst OAuth provides a good level of security it is also complicated to set-up so FME ships with default connections that simplify connecting to common services like ArcGIS Online or Microsoft. This allows FME to create a connection to these services that can be easily referenced in the Workspace without having to know anything about OAuth security services etc.
FME Web Connection
Common web connections are provided, and community defined connections are available on the FME Hub. If a connection is not available they can be created (or customised) within FME itself.
A typical OAuth connection as as Web Connection Definition
| NEW |
| Token management has been dramatically updated from 2019.0. Before, a token was tied directly to a users account and a user could only hold a single token at once. However, from 2019.0 a single user can have many tokens and directly control what that token has access to. This is an easier system and makes the token system much more secure. |
| WARNING |
| Tokens can hold a lot of power. To guarantee the security of FME Server, ensure a token's permissions are configured so that it can be used only for its intended purpose, such as running a particular workspace. |