I need to create a url link (to be send by email) to open a specific mashup without requiring the user to authenticate to the platform.
I can do that by using an appkey linked to a specific user, this is possible using this method
that is however deprecated for security, in fact the appkey as url parameter feature is not enabled by default.
If I need to do that, I have to enable "Allow Application key as URL Parameter" feature for all the platform (opening to some possible hacks)
Is there a way to allow just a specific mashup to use this method ?
(and keep Allow Application key as URL Parameter to false ?)
To use the feature, you have to keep Allow Application key as URL Parameter to true.
As the article mentioned, for security reasons, associate specific user with specific appKey, granting the user permissions for the specific services and mashups only.
Yes .. I wouldn't enable this flag if possible ...
I see that the "reset password" feature uses a similar method
it creates a temporary appkey, and the link sent by email redirect to a mashup to set new password (with the appkey as parameter !)
but this is not a standard mashup ... it is in a different path (/formlogin/reset...), it is a system mashup outside the "composer" management, and as you can understand it works even id the "use appkey as parameter" flag is OFF, it has a different management.
Are there other possibilities ?
Can those "system mashups" be created with an extension ?
Even if I know the usecase seems solid - open mashup without logging in, the current soft "deadlock" (the deprecation of the AllowAppKeyAsURLParameter) does not make this a very feasible option long term.
I would suggest explaining to your customer/usecase owner that you really need to log in if you want to access the application. Usually in an enterprise this is a bit easier if they setup ThingWorx with SSO - they can login once. Again, maybe this won't work for reasons I'm not aware, but it is what it is.
If that's no go, another option is to enable that checkbox, and engage in discussion with your relevant PTC counterpart (through your Partner Manager/Customer Success Manager) to see how PTC will tackle that issue on long term, that is, what capability will they offer to support accessing mashups without logging in.
We cannot use SSO for now, we use native thingworx users.
On my case I have to open mashup with appkey for a single special operation.
and the appkey will be temporary (lifetime is few days) and it also will be deleted immediately when that operation is done.
A thingworx user will to this operation just one time in its life.
What do you mean for soft deadlock with the appkey ?
I read that the only "issue" with is that the appkey is cached and can be easily retrieved by the user.
Ok ... but if that appkey will be deleted by the system after little time... do I have other possible problems ?
By "soft deadlock" I referred to the fact that that checkbox is deprecated and there's no official alternative that replaces its capability.
Regarding your last comment, that indeed is true (you can delete/expire appKeys), but the caching aspect is generally seen as a bigger issue in these security issues.
You can make the system delete an appkey after login - use the Security Monitor's ApplicationKeySucceeded event.
However, keep in mind that if you ask an IT security expert, he will probably have some objections against this method. This is usually the case in these matters.