Community Tip - Did you get an answer that solved your problem? Please mark it as an Accepted Solution so others with the same problem can find the answer easily. X
Hello, it is possible to to isolate an appkey to project or thing on thingworx 8.5.5. If so can you provide a guide please. Thank you.
Solved! Go to Solution.
Hi @xotzHelper ,
Your thinking is very wise, and it should be the common baseline for every developer.
Since, as mentioned above, the appKey is linked only to an User you need to create a specific user, we usually call it a "technical user" which has rights only for the service you need to execute.
Note: This user should not be part of the ComposerUser group - also make sure you remove the Users from the Everyone organization (check this help center link for security best practices).
You also said that that service needs to have acces to features available to administrators, but I would challenge if you can't use the System User concept for this. Look at this link for additional details.
At the end of the day you must make sure that that "Technical User" has:
-visibility to the Entity that hosts the service you want to execute
-Service execution rights (for him or for the System User) for the service you need to consume internally.
Let me know if that helps.
Appkeys are associated with users in ThingWorx. Multiple users can have one app key or there can be unique app key for every user. So they are isolated at user level, there is no direct provision to map app key to Thing/Project. Can you please elaborate your use case for this request ?
Thanks,
Mukul Narang
I'm trying to use a service in a plubic web page and i wanted to isolate the api-key so it doesn't become a security risk. One constraint i have is that i need some functions that are only accessible on admin group.
Thanks.
In that case I believe you will be doing REST to ThingWorx from that public web page and in the REST request you would need app key for authentication. I think you are sending the app key in the REST request header, for security you can use SSL certs between the web page and ThingWorx so that your request will be encrypted. But for authentication you would definitely need a way which is app key in ThingWorx.
Thanks,
Mukul Narang
Hi, thank you for the response, yes in the future we will be using https and SSL, but for now i would like a way to prevent attacks with thingworx. i also believe it is a good pratice. Moreover the key will be on the front-end, so people can inspect the code.
Thank you @mnarang.
Hi @xotzHelper ,
Your thinking is very wise, and it should be the common baseline for every developer.
Since, as mentioned above, the appKey is linked only to an User you need to create a specific user, we usually call it a "technical user" which has rights only for the service you need to execute.
Note: This user should not be part of the ComposerUser group - also make sure you remove the Users from the Everyone organization (check this help center link for security best practices).
You also said that that service needs to have acces to features available to administrators, but I would challenge if you can't use the System User concept for this. Look at this link for additional details.
At the end of the day you must make sure that that "Technical User" has:
-visibility to the Entity that hosts the service you want to execute
-Service execution rights (for him or for the System User) for the service you need to consume internally.
Let me know if that helps.
Hi @VladimirRosu thank you for the response, it help me a lot solving this issue, in the end i follow your tips and created a back-end (i was avoiding) to add extra security to the key. It's totally safe now.
Nice to hear this.
PS: Make sure to mark one of the replies above as an answer to benefit other people who encounter this challenge