Starting with version Current 2024.Q3 of d.ecs identity provider (or from Thursday, 08.08.2024 in the cloud), a confirmation dialog will appear for users with API keys. This dialog prompts the respective user to confirm or decline the API key. If a user declines the API key, this API key can no longer be used. API keys that have not yet been confirmed or declined or that have already been created in the past will continue to work without restriction.
When a new API key is created by the administration, an e-mail is sent to the associated user account and the user is informed that an API key has been created. The user receives a dialog to confirm the API key.
The user will be prompted to either confirm or decline the API key the next time they log in (and repeatedly while working with the system). This query also applies to previously created API keys. The administrator can view the status of the confirmation in the configuration interface or request a new confirmation if, for example, an API key was declined by mistake.
As technical users do not have the option of logging in interactively, their API keys do not require confirmation and cannot be declined.
To make the transition easier, the use of unconfirmed API keys is still possible without restriction for the time being.
Future outlook
- Confirmation of an API key will soon be mandatory in order to be able to use an API key.
- In a further step, the creation of API keys will be prevented for non-technical users.
Frequently asked questions and answers:
Why is this change being made?
Users should be informed that an API key has been created for them. Since it is possible to interact with d.velop documents on behalf of someone else using this API key, users will be given the option to decline this interaction.
My API key was created before confirmation was introduced, do I still need to confirm the API key?
No, not yet. However, the API key will then be prompted for confirmation again and again.
The target user was previously in the technical user group, but is no longer so. Can the API key now be declined?
Yes, the target user is automatically prompted to confirm or decline the API key. However, no e-mail notification is sent in this case.
Can I disable this behavior?
No, this is the first step of a necessary security measure.
The user has accidentally declined the confirmation, so the API key cannot be used. What can I do?
Administrators can trigger the confirmation request again in the configuration of the respective API key. The user will be informed or asked again.
Is there another way to work with a user's identity using an app?
You can use the OpenIDProvider app to confirm a session by the user via OAUTH2. However, the confirmation must be implemented in every app used.
What happens if an API key is already being used in configurations and the user declines the API key?
The API key becomes invalid and cannot be used from then on. However, administrators can request a new confirmation. The API key is valid again until the next declination.