Insights Hub Why Non-dependent API application is available in UI application?

I have observed the below scenarios:

Scenario 1  

I am having two applications one is UI and another one is API type as below.

UI app: App_1
 
API dependencies: API_1 

 Now I can use the API_1 app in my UI APP_1and that is working fine.

Scenario 2  

UI app: App_2
 
API dependencies: API_2  

Now in this case I have not added API_1 as a dependency for UI APP_2 but still, I am able to call API_1 endpoints from APP_2

This should not be allowed as I have not added the API_1 as a dependency API to APP_2 .

Any UI application can access any API within the same tenant if the API endpoint is not protected by API-specific scope.

If the API endpoint is protected by specific scope, and the same API is not configured in the UI app as a dependency. also, API app scopes are not assigned to users from settings. Users will get 403 while accessing the application endpoint.

Basic usage/advantages of API type of application

1. Can be shared among different UI application. No need to re-write the same code for each UI application.
2. API application can be provisioned to another Developer tenant from Operator Cockpit.
3. access levels can be managed separately, no need to be combined with the UI app.
4. API app versions can be maintained independently.

You can follow the below documentation.

https://developer.mindsphere.io/concepts/concept-authentication.html

https://documentation.mindsphere.io/resources/html/developer-cockpit/en-US/146311759883.html

The other documentation is explaining about how you can secure your application.

https://developer.mindsphere.io/concepts/concept-roles-scopes.html

Notes

For any questions or support in this matter, contact us through the support center.