Choose API authentication and authorization methods #47
Description
Currently, we use a constant code parameter value, originating from Azure Functions, to authorize requests to HFP Analytics REST API. This is not a sustainable method in the long run: different users with different needs would still use the same code value, code may change between deployments, code value must be provided to API consumers manually, and so on.
- Find a decent way to provide up-to-date API keys for different users. Preferably, each human / application user would have its own API key that we can disable if the API is misused by that user, for instance. The authentication method should be compatible with HSL API Management strategies and techniques, so that e.g. a user can easily obtain API keys by their AD or HSLID identity.
- Decide how to authorize API requests with the given API key: e.g., URL parameter or bearer token. In future, we may want to allow different levels of access by API key, so that we can e.g. give limited access to computationally heavy endpoints while keeping lightweight endpoints more open.
- Consider how authentication & request authorization is handled in the OpenAPI documentation. One should be able to easily discover how the API works structurally without having to go through a difficult authentication procedure first. Currently, the OpenAPI "Execute" button results in a failing request since the test query URL does not contain the
codeparameter.