Securing Headless APIs
Whether you’re importing or exporting data, security is critical when working with Liferay’s APIs. Liferay provides industry standard methods of authorization such as HTTPS and OAuth 2.0 out of the box to secure any transfer of sensitive data with external systems.
Although Liferay APIs support basic authorization, you should only use this method for testing and never in a production environment. Use OAuth 2.0 to transfer data securely.
Enabling OAuth 2.0 in Liferay
OAuth 2.0 provides a secure way to control who can access your data. With it, you can grant specific permissions to web services without needing to share passwords. This helps protect user information and ensure that only authorized users can interact with the API.
At a high level, there are three steps to configure and connect with OAuth 2.0 in Liferay:
First, you define an OAuth 2.0 application in Liferay. When setting up this application, you determine how you plan to connect and authorize to Liferay. Different authorization flows are available for selection including the authorization code flow. See Authorizing Account Access with OAuth2 to learn more.
Second, you define the scopes for the application. These are the permissions granted for specific headless API endpoints and determine which operations the application can perform. For example, a remote application may need read and write access to blog posts.
Third, you need to configure your remote application to leverage OAuth 2.0 to connect to Liferay. Make sure that your client application is set up to work with the authorization flow you selected. For example, if you select the authorization code flow, Liferay exchanges an authorization code for a token that’s used for future API calls.
Guest API Access
By default, Liferay requires authentication for all APIs and does not grant public access to them. However, you can use the Service Access Policy tool to make specific endpoints publicly accessible. You can configure which service signatures to allow within each service access policy.
Proceed with caution when setting guest access and making API endpoints public facing. Provide this type of access only when necessary.
See Setting Service Access Policies to learn more.
Conclusion
Security is paramount when using APIs to move data in or out of Liferay. Now that we’ve explored how Liferay’s headless APIs are secured and authorized, let’s take a look at how Clarity can use them to import content.
Up Next: Using APIs to Import Clarity’s Content
Additional Resources
See official documentation to learn more about using Liferay’s APIs securely: