Feature Wiki
Tabs
REST API: Authentication and Service Control (Phase 2)
Page Overview
[Hide]- 1 Initial Problem
- 2 Conceptual Summary
- 3 User Interface Modifications
- 4 Additional Information
- 4.1 Involved Authorities
- 4.2 Technical Aspects
- 4.3 Privacy
- 4.4 Security
- 4.5 4.5 Contact
- 4.6 Funding
- 5 Discussion
- 6 Implementation
- 6.1 Description and Screenshots
- 6.2 Test Cases
- 6.3 Privacy
- 6.4 Approval
If you need any help in filling out this wiki page, please visit our ILIAS Community FAQ. And please complete the metadata information in the right column after having created the page.
1 Initial Problem
Following the completion of Phase 1, the strategic decision was made to prioritize and bring forward the implementation of an authentication layer. While the component's basic framework was established, integrating authentication layer became the immediate focus. This was essential to ensure the component's readiness for production environments, allowing ILIAS users to confidently and securely create their own API endpoints and activities, and ultimately facilitating its smooth integration into the ILIAS core.
2 Conceptual Summary
This phase is designed to directly address these needs. Building directly on the foundational work of Phase 1, our primary focus now shifts to introducing a robust authentication system and comprehensive administrative controls. These enhancements are vital, as they will empower ILIAS users to confidently and securely manage their API endpoints and activities. The ultimate goal is to make the ApiGateway component fully production-safe, thereby facilitating its seamless adoption into the ILIAS core.
This project is an ongoing project, but phases have been split to ensure stability & new feature values for each delivered phase. Future phase details are subject to change based on community feedback or updates in planning.
- Phase 1 was about the Webservices API foundation, focusing on REST, delivering the core infrastructure, initial Activity integration, and key feature API concept definitions.
- Phase 2 is focusing on integrating security and access controls.
- Phase 3: Swagger & Middlewares will focus on generating OpenAPI documentation.
- Phase 4: Activity I/O Validation Schemas will focus on the automatic generation of OpenAPI documentation for activities that are discovered dynamically.
- Phase 5: SOAP Webservice Integration will focus on stabilization and current SOAP implementation clean-up based on feedback.
3 User Interface Modifications
3.1 List of Affected Views
- No foreseeable view modifications.
3.2 User Interface Details
- No foreseeable UI modifications.
3.3 New User Interface Concepts
- A new settings page in the admin dashboard to control each available webservice.
3.4 Accessibility Implications
- No foreseeable accessibility modifications.
4 Additional Information
4.1 Involved Authorities
- Authority to Sign off on Conceptual Changes: Hamouda, Ahmed [ahamouda]
- Authority to Sign off Code Changes: Hamouda, Ahmed [ahamouda]
- Authority to Curate Test Cases: Karki, Sagun [sagun]
- Assignee for Security Reports: Karki, Sagun [sagun]
- Assignee for Security Issues: Karki, Sagun [sagun]
4.2 Technical Aspects
Missing Dependencies
- Requires the following third-party libraries managed via Composer:
- `slim/slim` For HTTP request handling and routing.
- Depends on the ILIAS core for bootstrapping and accessing global services, such as settings (`ilApiGatewaySettings`) and the user object from the DIC.
Existing Dependencies
- Requires the following third-party libraries managed via Composer:
- `firebase/php-jwt` For securely generating and validating JWT tokens to handle user authentication and sessions.
- `guzzlehttp/psr7` For handling HTTP request and response bodies in a standardized way.
- `psr/log` For the logger interface.
4.3 Privacy
The API will only provide a layer on top of the existing ILIAS components. There is no direct manipulation of the user data.
4.4 Security
As in the previous phase, adding new endpoints inherently increases the attack surface, introducing risks such as injection attacks, unauthorized access, and issues with token-based authentication. To mitigate these, users should embed security into the component's building blocks by:
- Applying strict input validation and sanitization to prevent injection & related attacks.
- Enforcing strict authorization checks on each new endpoint.
- Using HTTPS to secure data in transit.
- Conducting thorough security testing and audits to identify and resolve vulnerabilities before launch.
4.5 4.5 Contact
This feature is developed by Minervis GmbH.
- For funding offers: Günther, Andre [ILIASBase].
- For technical inquiries: Hamouda, Ahmed [ahamouda].
4.6 Funding
- If you are interest in funding this feature, please add your name and institution to this list.
- HHU Düsseldorf - 6.000,00 € für Phase 2 - erfolgt
- ILIAS Beirat - 6. 000,00 € (offen)
- ...
5 Discussion
6 Implementation
The feature has been implemented by Hamouda, Ahmed [ahamouda].
6.1 Description and Screenshots
{ Description of the final implementation and screenshots if possible. }
6.2 Test Cases
Test cases completed at {date} by {user}
- {Test case number linked to Testrail} : {test case title}
6.3 Privacy
Information in privacy.md of component: updated at {date} by {user} | no change required
6.4 Approval
Approved at {date} by {user}.
Last edited: 10. Dec 2025, 12:15, Hamouda, Ahmed [ahamouda]