API Key Authentication Documentation Clarification


I was taking a look through the Conjur REST API documentation available at:
https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Developer/Conjur_Auth_REST_APIs.htm?tocpath=Developer|REST APIs|_____1#PasswordandAPIkey

I noticed that “Password and API Key” are available as (seemingly direct) authentication methods against the APIs instead of the token method.

I have been trying the base64 encoded method using the following header configuration:

'Authentication': 'Basic base64_enc_string'

Where base64_enc_string is created using the methods outlined in the first 2 steps of the linked documentation above:

  1. Create the authentication string by concatenating the role’s name, a literal colon character “:” and password or API key.
  2. Base64 encode the resulting authentication string.

There are two items I am unsure of:

  1. What would the “role’s name” be for an API Key?
  2. Is this even possible, where you can use this base64 encoded API Key authentication method to make calls to all Conjur APIs?

Am I interpreting the documentation incorrectly where it says the following:

The REST API accepts the following three forms of authentication:

* Password
* API key
* Access token

Thanks in advance!

So, it’s correct, but needs additional clarification:

A password can be given to a user or host identity. This is in addition to the initially generated API key.

If you do not know the API key and only have a password, you can hit the /login endpoint of the API which will return your user or host identity’s API key.

This is always generated anytime a new identity is defined. This is the minimum requirement for an identity to use for authentication. A password can be optionally granted to the identity.

When using an API key with the Conjur API, you will send it to the /authenticate endpoint and if you provide the header Accept-Encoding: base64 a base64-encoded JWT token will be returned which is your session token for the Authorization header going forward.

I cannot speak to Access Token as I’ve never used one before for API calls.

Thank you very much for the clarification!

I think the root of my issue is the concept of “Authentication” (used to get the JWT) versus the concept of “Authorization” which grants access (using that JWT) to the requested resource.

So it seems a JWT is required for all API operations aside from Authentication itself.

That’s correct. Check out “Add a Secret” from my Postman collection for Conjur’s API. You would provide the Authorization header like this:

Authorization: Token token="<base64-encoded JWT session token from /authenticate>"

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.