Lodata does not wrap the API in authentication by default to get the developer up and running fast, but it's easy to add.
The OData standard is light on recommendations (opens new window) for authentication, as theoretically any HTTP authentication type could be supported by the producer as long as the consumer understands it.
The only authentication type the OData standard does recommend is HTTP Basic (opens new window), and there's support in many consumers for this.
If you've exported the configuration you can add basic authentication to all
Lodata endpoints by modifying
auth.basic in the array of middleware:
... /* * An array of middleware to be included when processing an OData request. Common middleware used would be to handle JWT authentication, or adding CORS headers. */ 'middleware' => ['auth.basic'], ...
The OpenAPI schema supports (opens new window) advertising the available
security schemes for an API. Lodata can include this in the OpenAPI document by adding a
to the configuration. The content of this property is emitted as-is and should match the Security Scheme Object
definition. This example shows adding an OAuth2 provider:
... /** * Configuration for OpenAPI schema generation */ 'openapi' => [ 'securityScheme' => [ 'type' => 'oauth2', 'flows' => [ 'clientCredentials' => [ 'tokenUrl' => '/oauth/token', 'scopes' => (object), ], ], ], ], ...