thinkgeo_cloud_quick_start_guide
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
thinkgeo_cloud_quick_start_guide [2018/12/06 17:18] edgar [Managing Your Clients] |
thinkgeo_cloud_quick_start_guide [2018/12/13 23:04] (current) brianr Bold notation was wrong |
||
|---|---|---|---|
| Line 26: | Line 26: | ||
| * **NativeConfidential** clients have full access to all the APIs you do, including those which manage clients and your user profile. They will authenticate by exchanging their ID and secret key for an identity token. Then, they will use that token to make requests to the ThinkGeo Cloud APIs. These clients are called "NativeConfidential" because their secret key must be kept confidential, and thus they are only suitable for use in native compiled applications or web services where the secret can be kept confidential, out of the hands of users. | * **NativeConfidential** clients have full access to all the APIs you do, including those which manage clients and your user profile. They will authenticate by exchanging their ID and secret key for an identity token. Then, they will use that token to make requests to the ThinkGeo Cloud APIs. These clients are called "NativeConfidential" because their secret key must be kept confidential, and thus they are only suitable for use in native compiled applications or web services where the secret can be kept confidential, out of the hands of users. | ||
| - | * **JavaScript** clients are intended to be used in web applications. They are simpler to use but can only access ThinkGeo Cloud plugins like elevation or the reverse geocoder. To use a JavaScript client, you only need to include the client ID in the URL of the API you are requesting -- no tokens are required. A JavaScript client's ID does not need to be kept confidential, but you should restrict the client so that it can only be used from web domains you control. | + | * **JavaScript** clients are intended to be used in web applications. They are simpler to use but can only access ThinkGeo Cloud plugins like elevation or the reverse geocoder. To use a JavaScript client, you only need to include the client ID in the URL of the API you are requesting -- no tokens are required. A JavaScript client's ID does not need to be kept confidential, but you should restrict the client so that it can only be used from web domains you control. See [[#Securing Your Clients|Securing Your Clients]] below for more information. |
| For now, let's use one of the default clients that come with your ThinkGeo Cloud account. For this exercise, we'll choose the Native Confidential client called "Sample Native Client". | For now, let's use one of the default clients that come with your ThinkGeo Cloud account. For this exercise, we'll choose the Native Confidential client called "Sample Native Client". | ||
| Line 36: | Line 36: | ||
| {{::thinkgeo_cloud_showkeys.png?350|}} | {{::thinkgeo_cloud_showkeys.png?350|}} | ||
| - | You can use the "Copy" button to copy these values to your clipboard and use them in your application. | + | You can use the "Copy" button to copy these values to your clipboard and use them in your application when authenticating. |
| + | **Note:** JavaScript clients will only have an API Key, since they are intended for use in browser-based applications where a secret cannot be kept secure. | ||
| + | ====Securing Your Clients==== | ||
| + | ===Keeping Secrets Safe=== | ||
| + | You should take all necessary precautions to keep safe the API Key and API Secret -- particularly the latter -- of your NativeConfidential clients. Since these two values together can always be used to request an access token, if unauthorized users gain access to both of them, they can use your client in their own applications and the API usage will count against your ThinkGeo Cloud account. | ||
| + | |||
| + | For maximum security, if you are developing a client application that will be distributed to end users, it's a good idea to create your own web service or serverless function such as AWS Lambda to store your client key and secret. This service or function can then field requests from your application, call out to the ThinkGeo Cloud to get an access token, and then return it to application. Your application can then use the access token to make ThinkGeo Cloud API calls. | ||
| + | |||
| + | In contrast, JavaScript client API keys are less confidential, but you should take care to restrict them in the ThinkGeo Cloud web console so they can only be used from authorized sites or IP addresses. | ||
| + | |||
| + | ===Restricting Who Can Use Your Client Keys=== | ||
| + | The ThinkGeo Cloud web console lets you configure your clients so they can only be used from approved locations. This is a **highly recommended step** to ensure that only you are able to use your client keys. | ||
| + | |||
| + | On the "Clients" page of the ThinkGeo Cloud web console, pick the client you wish to secure and click the blue **Pencil** button. The "Edit Client" dialog will appear. Near the bottom, you'll see a text box where you can add restrictions for your client. | ||
| + | |||
| + | JavaScript clients can whitelist usage by Origin Domain (e.g. mywebsite.com) or IP Address/IP Range (e.g. 203.0.113.78). NativeConfidential clients can use IP Address/IP Range restriction only. | ||
| + | |||
| + | ==Whitelisting Origin URIs== | ||
| + | {{::thinkgeo_cloud_edit_client_restrict_origins_sm.png?nolink|}} | ||
| + | |||
| + | JavaScript clients can whitelist individual origin URIs (e.g. mywebsite.com) that are allowed to use the client. This is useful for web applications that are hosted on a particular domain, where no other web address should be allowed to use your client. You can enter: | ||
| + | |||
| + | - A specific web domain, e.g. mywebsite.com | ||
| + | - Wildcards to represent all subdomains of a given domain, e.g. *.mywebsite.com | ||
| + | |||
| + | ==Whitelisting IP Addresses/IP Ranges== | ||
| + | {{::thinkgeo_cloud_edit_client_restrict_ips_sm.png?nolink|}} | ||
| + | |||
| + | JavaScript and NativeConfidential clients can whitelist individual IP addresses or IP address ranges that are allowed to use the client. You can enter: | ||
| + | |||
| + | - A specific IP address, e.g. 203.0.13.55 | ||
| + | - An IP range with wildcards, e.g. 203.0.113.* | ||
| + | - CIDR notation, e.g. 203.0.113.0/24 | ||
thinkgeo_cloud_quick_start_guide.1544116702.txt.gz · Last modified: 2018/12/06 17:18 by edgar