API Credentials and Product Profile management
- Topics:
- Developing
CREATED FOR:
- Beginner
- Developer
- Leader
Learn how to manage Credentials and Product Profile for OpenAPI-based AEM APIs.
In this tutorial, you learn how to add or remove:
- Credentials: Provide authentication for an AEM API.
- Product Profiles: Provide permissions (or authorization) for credentials to access the AEM resources.
Background
When you use an AEM API, you need to define the Credentials and Product Profile in the Adobe Developer Console (or ADC) project. In the following screenshot, you can see the Credentials and Product Profile for an AEM Assets Author API:
The Credentials provide the authentication mechanism for the API. The Product Profile grants permissions (or authorization) to the credentials, providing access the AEM resources. The API request could be on behalf of an application or a user.
A Product Profile is associated with one or more Services. In AEM as a Cloud Service, a Service represent user groups with predefined Access Control Lists (ACLs) for repository nodes, allowing granular permission management.
Upon successful API invocation, a user representing the ADC project’s credential is created in the AEM Author service, along with the user groups that match the Product Profile and Services configuration.
In above scenario, the user 1323d2... is created in the AEM Author service, and is a member of the user groups AEM Assets Collaborator Users - Service and AEM Assets Collaborator Users - author - Program XXX - Environment XXX.
Add or remove Credentials
The AEM APIs support the following types of credentials for authentication:
- OAuth Server-to-Server: Designed for machine-to-machine interactions.
- OAuth Web App: Designed for user-driven interactions with a backend server in your client application.
- OAuth Single Page App: Designed for user-driven interactions without a backend server in your client application.
You can support various use cases using different types of credentials.
All Credentials are managed in your ADC project.
To add credentials for an AEM API, go to the APIs section of your ADC project and click Connect another credential. Then, follow the instructions for your specific credential type.
To remove an AEM API credential, select it in the APIs section of your ADC project, then click Delete credential.
Add or remove Product Profiles
The Product Profile provides the permissions (or authorization) to the credentials to access the AEM resources. The permissions provided by the Product Profile are based on the Services associated with the Product Profile. Most of the Services provide the READ permission to the AEM resources, via the user groups in AEM instance that have the same name as the Service.
There are times when the credentials (aka technical account user) need additional permissions like Create, Update, Delete (CUD) of AEM resources. In such cases, you need to add a new Product Profile that is associated with the Services that provide the required permissions.
For example, when AEM Assets Author API invocation receives 403 error for non-GET requests, you can add AEM Administrators - author - Program XXX - Environment XXX Product Profile to resolve the issue.
CAUTIONTo add Product Profiles for an AEM API, click Edit product profiles in the APIs section of the ADC project, select the desired Product Profile in the Configure API dialog, and save your changes.
Select the desired Product Profile (e.g., AEM Administrators - author - Program XXX - Environment XXX) associated with the required services, then save your changes.
Note that the AEM Administrators - author - Program XXX - Environment XXX Product Profile is associated with both the AEM Administrators service and the AEM Assets API Users service. Without the latter, the Product Profile will not appear in the list of available Product Profiles.
The PATCH request to update the asset metadata should now work without issues.
To remove Product Profiles for an AEM API, click Edit product profiles in the APIs section of the ADC project, deselect the desired Product Profile in the Configure API dialog, and save your changes.
Summary
You learned how to change the authentication mechanism and permissions for AEM APIs using Credentials and Product Profile in the Adobe Developer Console (ADC) project.