Static bearer token in rest call - most secure way to save?

  • 1
  • Question
  • Updated 4 weeks ago
  • Answered
Hello!

I've got a rest endpoint that has provided us with a static bearer token.  It is not the typical http auth where it is username+password in base64, nor a token from an authentication service were we can pull it from $Auth.response.  It is just a text field.

So in every call, we put the header "Authorization : Bearer <our static key>"

Currently in our prototype, I've got this hard coded in the data source "common request headers" section.  However, I'm wondering if there is a better way to store this for production where it can be encrypted.  We use an Apex proxy, so if I understand correctly, this header won't flow through the browser and reveal itself, so it should be safe from users (right?).  However, it would be exposed to anyone who has the skuid builder or admin permission set.

Is there anywhere we can save this field in an encrypted field and merge it in at the data source (not page) layer?

Thanks!
Photo of Paul

Paul

  • 854 Points 500 badge 2x thumb

Posted 1 month ago

  • 1
Photo of Zach McElrath

Zach McElrath, Employee

  • 53,702 Points 50k badge 2x thumb
Hey Paul, yes, there is a better way to do this. It's a bit confusing, but it works --- just had to point someone else in this direction last week!

1. In your Data Source, set the Authentication Method to "Basic HTTP Authentication". I know, you're not using Basic HTTP Authentication --- but hang with me, we'll fix this later. The only reason that we are doing this is to get Skuid to render the "Username" and "Password" fields. We need these to be displayed so that you can:
2. Enter your static token into the "Password" field. This field, as well as Username, is encrypted at the database level, and when you're using the Apex Proxy, it will never be sent down to the browser, so neither an Admin nor any other user will be able to retrieve the value of this field --- once you enter a value here, it is totally secure --- the only person who can see its value is the REST service that you are sending it to.
3. Now that the Password is entered, switch your Authentication Method back to "No Authentication". 
4. Go into the "Common Request Headers", and change the "Authorization" header's value to be "Bearer {{$Auth.Password}}". Skuid's Proxy will now, at runtime, and server-side, inject the value of the Password into this header. Thus the value will never be accessible to the browser.
5. Save your Data Source.

Note 1: If you ever need to change the static token in the future, you'll have to repeat this --- temporarily switch Authentication Method to "Basic HTTP Authentication", enter a new password value, then switch it back.

Note 2: You can enter whatever value you want for Username --- it's not going to be used, so it doesn't matter what you put here.
Photo of Paul

Paul

  • 854 Points 500 badge 2x thumb
Thanks Zach.  That was what I was looking for!  Although this is like the super secure solution because people won't even be able to find the password field, much less see the value.
Photo of Zach McElrath

Zach McElrath, Employee

  • 53,702 Points 50k badge 2x thumb
I completely agree, we have a story in the backlog to add a new Authentication Method called "API Key / Shared Secret" to accommodate this pattern in a more natural way -- it's a very common pattern.