Skip to content

API applications

The following is covered in this section:

Introduction

The Osirium PAM REST API is a read-only API that will allow third-party applications to read data from the Osirium PAM Admin Interface.

The steps required to configure authentication and authorise the use of the Osirium PAM APIs are as follows:

  1. Within the Admin Interface the Osirium PAM superadmin will create a new application, see Creating and Configuring a New API Application.

    This will automatically generate a unique OAuth2 Client ID and OAuth2 Client secret.

    Configure the new application container with an appropriate name and notes in order to easily identify the application that will be using the access.

  2. The next part of the configuration will depend on the application that will be accessing the Osirium PAM APIs:

    If the application has the ability to self manage access tokens then it only needs the OAuth2 Client ID and OAuth2 Client secret to make the Osirium PAM oauth2/token API call.

    API auth1

    or

    If the third party application doesn't have the ability to self manage access tokens then an access token will need to be added and passed onto the third party with the OAuth2 Client ID.

    API auth2

  3. Once the third party application has the correct authentication, a number of Osirium PAM API calls can be made to the PAM Server to read the data presented in the Admin Interface.

    The following diagram shows the Admin Interface data that can be read by the available Osirium PAM APIs.

    API PAM calls

    For further information on the Osirium PAM APIs click here.

Creating and configuring a new API application

This page allows you to create a new API application container that will generate a unique OAuth2 Client ID and OAuth2 Client secret. The application container can then be used to manage access tokens to allow applications to make calls to the Osirium PAM API.

To add a new application:

  1. On the API applications page, click on Plus icon New application button, a New OAuth2 application window opens.

    New OAuth2 Application

  2. Within the New OAuth2 application window enter a unique name that will help identify the API application and be used as the display name within the Admin Interface. Click Save. The new API application container is created and a unique OAuth2 id and secret is generated.

    New OAuth2 Container

Generating an access token

If an access token is required by the application to make API calls then they can be generated on the API Application detail page.

To generate an access token:

  1. On the API applications page, click on the API application name to be navigated to the Named detail page. The following configuration is available on this page.

    OAuth2 named detail page

    Heading Description
    Name The display name given to the API application to help identify it.
    OAuth2 Client ID Automatically generated unique ID. Can be copied by hovering over it.
    OAuth2 Client Automatically generated unique secret. Hashed out for security but can be seen and copied by hovering over it.
    Notes Enter any notes you might think would be useful for future reference or for other SuperAdmins
    Access tokens Lists all the access tokens that have been created for the application.
    - Last used at will display the date the access token was last used to make a Osirium PAM API call.
    - Expires at determines the date/time when the access token will no longer be valid. If being used by an application, the application will no longer be able to make the Osirium PAM API calls.

    When an access token expires, the application will be allowed to continue its on going call but the next call made will be rejected.

    When an application makes an API call with an expired access token it will be logged.

    Example:
    Access token expired message

    New token button Automatically generates a new access token with the selected expiration date. Hashed out for security but can be seen and copied by hovering over it.
    New token
  2. To create a new access token, click on the New token button and select when you want the access token to expire.

    New access token window

  3. Click Save. A new access token is granted and listed in the table. The access token along with the OAuth2 Client ID can now be passed onto your 3rd party to enable them to make API calls to Osirium PAM.

    Access token granted