Hi,
We are currently exploring options to secure our internal APIs, which are consumed through SmartObjects.
Our objective is to ensure that we can reliably identify the user making a request following authentication, while maintaining a secure approach throughout.
As part of a proof of concept, we have successfully configured service instances using PKCE, Microsoft Online, and Client Credentials resource types, with SmartObject methods connected to one of our API endpoints.
The PKCE flow appears to be the most suitable option for interactive form-based scenarios. However, we encountered some challenges when testing workflow scenarios. Since K2 workflows execute under the K2 service account, we enabled the following option to allow the SmartObject to function within workflow steps:
Cache OAuth token for service account for using SmartObjects in workflow steps
What we observed is that the cached OAuth token associated with the service account appeared to correspond to the user who last refreshed the service instance. Could you provide any guidance on how this behaviour is expected to work? For example, when the cached token expires, how is a new token obtained, and which user's context is used?
To support workflow scenarios, we also tested the Client Credentials flow and found that we could identify the acting user by passing a user identifier in a request header. This approach appears to address the workflow use case, but we would appreciate any recommendations or best practices you can provide.
Kind regards,