Community articleAuthenticating requests
Added by IBM contributorIBM on December 22, 2015
Rate this article 1 starsRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

Many operations, such as entry updates, require authentication by default. In addition, if the IBM® Connections administrator configures the servers to force authentication, all operations will first require you to authenticate.

About this task

API resources that are public do not require authentication. Authentication is required before users can access the Activities, Home page, and Search applications by default. The rest of the applications do not initially force authentication. This configuration allows applications like Profiles and Blogs to be open to everyone for browsing, and only require authentication when a user tries to edit a personal profile or blog. If you want IBM Connection to require authentication for all of the applications, the administrator must explicitly configure it.

There are three mechanisms for accessing IBM Connections: Basic, Form Based, and Oauth. For each Connections application, typically in the 'Overview' page, there are specific description how the URLs patterns are expected for each of the authentication mechanism. For example, for Activity Stream:

Activity Stream Authorization

For Social recommendation:

Social Recommendations

Basic authentication


API programs that use the basic authentication to access protected resources need to provide a user name and password. The API client program can either preemptively send basic authentication credentials or send them only in response to a "HTTP/1.1 401 Unauthorized" challenge from the IBM Connections server. To prevent credentials from being sent in the clear, the API (except for the Files and Wikis API) always sends a redirect to HTTPS before issuing the unauthorized challenge. The Files and Wikis APIs use J2EE declarative security, which does not support the redirection of basic authentication requests to HTTPS before requesting authentication credentials. Regardless, be sure that the client program only sends credentials over an SSL-secured connection.

To force API traffic to be sent over HTTPS, you can configure IBM Connections to force all traffic to be sent using an encrypted connection. See
Forcing traffic to be sent over an encrypted connectionexternal link.

Form based authentication


This is usually used by the IBM Connections components themselves when using the APIs from the browser. Typically, APIs using Form based authentication has /form/ in the request URI.

Oauth authorization


IBM Connections supports the OAuth 2.0 standard authorization protocol. Third-party applications ("consumer" applications) can use a combination of OAuth and the IBM Connections API to access IBM Connections data. Typically, APIs using 'OAuth' have the /oauth/ in the request URI.

For more information how to configure the system to allow third party to access Connections data using OAuth, please refer to the following topic:

Allowing third party applications access to data via the OAuth2 protocolexternal link