RELEASE NOTES/OAuth2/OAuth2 v1

Tuesday, April 11, 2017

New options are now available to fine-tune the authorization rules that secure the deployed services.

Optional authorization

The optional authorization option is suitable for securing mixed resources. It allows everyone to access the public set of resources, even without a token. If the user calls the service with a valid token, the service returns a different set of resources.

A good use case for this feature is a service that manages blog posts. When you enable the Optional Authorization checkbox in the Builder, the service displays published blog posts to everyone who calls it. Registered users that call the service with a valid token can see the published posts, as well as the unpublished posts that they created. The unpublished posts are the restricted resource in this scenario.

To achieve this behavior, create the following authorization rule:

  • Path: /myservice/v1/blogposts/

  • Methods: GET

  • Skip Authorization: not checked

  • Scopes: myservice.post_manage, myservice.post_create

  • Require all scopes for authorization: checked

  • Optional Authorization: checked

  • Skip Subscription Check: not checked

    • When the caller uses the GET method on the secured path, the API proxy verifies the caller's token for both of the defined scopes, and checks for an active subscription to the service. If the call meets the requirements set in the authorization rule, the service allows the user to access the restricted resources. If the call does not include a token, the service returns public resources to the caller.

    For more information about the Optional Authorization option, see the Secure a Service section of the Security documentation, as well as the Anonymous Login deprecation blog post.

    Skip subscription check

    The skip subscription check option is suitable for essential services, but use it on any service you see fit. When you enable the Skip Subscription Check checkbox in the Builder, the API proxy checks the caller's token against any authorization rules that you set, but does not check for an active subscription to the given service. This means that you can require the caller to have an access token with specific scopes in order to access your service, but ignore the caller's subscription status altogether.

    To achieve this behavior, create the following authorization rule:

  • Path: /hybrisservice/v1/resource/

  • Methods: GET, POST, PUT

  • Skip Authorization: not checked

  • Scopes: hybris.account_view, hybris.org_view

  • Require all scopes for authorization: not checked

  • Optional Authorization: not checked

  • Skip Subscription Check: checked

    • When the caller uses the GET, POST, or PUT methods on the secured path, the API proxy checks the caller's token for either of the two specified scopes, but ignores the user's subscription status. This means that the call succeeds as long as the user calls the service with a valid access token that includes at least one of the hybris.account_view and hybris.org_view scopes. The user does not have to subscribe to the service to access the secured path

    For more information about the Skip Subscription Check option, see the Secure a Service section of the Security documentation.

    Find these options and more in the Authorization Rules section of your service's settings. Go to Projects > {My Project} > Services > {My service} > Authorization Rules.

    • Send feedback

      If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.

    • Get Help

      Use our private help channel. Receive updates over email and contact our specialists directly.

    • hybris Experts

      If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.