Security Enhancements in 2024.09
The following enhancement related to FlexNet Operations security was made in the 2024.09 release.
Token-Based Authentication in REST and SOAP APIs
Previously, FlexNet Operations REST and SOAP APIs used Basic Authentication as their authentication scheme. While Basic Authentication is simple, it is considered less secure. The 2024.09 release therefore introduces token-based authentication, which is more secure than basic authentication.
In token-based authentication, the client first authenticates with their credentials. If successful, they receive an access token, which must then be included as a Bearer token in the Authorization HTTP header for subsequent requests.
Access Tokens are provided as an alternative way to authenticate and authorize web service calls to FlexNet Operations, so that integrations do not have to embed user credentials for Basic authentication.
In token-based authentication for FlexNet Operations APIs, producers and system administrators call the access-token-controller REST web service to request an access token with a limited expiration from FlexNet Operations. The token that is returned by the web service must then be added to the header of the API request when firing requests to a FlexNet Operations API (REST or SOAP).
Producers can also obtain access tokens using the new option Manage Access Tokens (available from the Accounts & Users menu) in the Producer Portal or the End-User Portal. Producers who do not want to allow customer users and partner users to create access tokens in the End-User Portal can select the configuration option Hide Access Tokens (under System > Configure > End-User Portal Setup > Manage Accounts & Users).
The access token not only authenticates the requester but also defines the permissions of how the requester can use the API, depending on the token type:
| • | NORMAL tokens can be requested by any FlexNet Operations user to authenticate themselves at a FlexNet Operations API. |
| • | IMPERSONATED tokens can be requested by system administrators to impersonate other FlexNet Operations users. |
Token-based authentication is currently available for the following APIs:
| • | SOAP Web Services |
| • | Data Extract REST API |
| • | Application REST API |