For transactional tasks, only the API will be given access to the database. Kazi applications and integrators will need to use the API to access or manipulate data. Multiple important security aspects are taken into account to access this data through the Kazi API.
- Access through the Azure API management gateway.
You need to be registered and approved by Kazi as a legitimate subscriber. In sequence of this registration, the controller will receive a subscription key. Without this subscription key, it is impossible to enter the API gateway.
- API Access level is secured using the OAuth2 protocol (https://oauth.net/2/)
This implies that the controller needs to request a secure access token before accessing the API. The application that wants to access the API needs first to be registered at the Kazi Identity provider. The controller will receive a specific clientId and secret for this application and will be granted access to a limited amount of scopes. Based on these scopes in the access token, access is refused or not.
- By using ‘Client credentials’ grant type (see OAuth2 grant types) the ClientId of the application is linked to one specific Kazi Partner and will only have access to data registered by this partner. There is no way to get data from another partner using this grant type.
- By using ‘Authorization code’ or ‘Implicit’ grant type (see OAuth2 grant types), data will be accessed by an application on behalf of a Kazi user. This enables a higher security access level as the application can only access data based on the info described in paragraph 3 in combination with roles and permissions of the authorized user. These roles and permissions are set by a Kazi Administrator.