Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The API supports JWT token authentication from version

Status
title11.15.0
onwards.

The standard workflow is

  1. sign in by providing credential to obtain tokens

  2. use access token in Authorization header while invoking API end points

  3. use refresh token to get a new access token when previous is expired

  4. sign out when refresh token is no longer needed

Previously, only Basic Authentication was supported by the API. It is possible to keep this type of authentication, concurrently with token authentication or not.

...

The REST API uses JWT tokens (JSON Web Tokens). A JWT token is a three Base64-URL (UTF-8) strings separated by dots. The three parts are:

  1. header

    Header consists of two parts: the type of the token, which is always JWT, and the hashing algorithm begin used to build the signature part of the token. These two informations are stored in a JSon object which is encoded to form the first part of the token.

    The hash algorithms supported by the REST API are:

    • HS256 (HMAC SHA256)

    • HS384 (HMAC SHA384)

    • HS512 (HMAC SHA512)

    Default is HS256, but you can changed it in plug-in configuration.

  2. Payload

    The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. The claims are also stored in a JSon object which is encoded.

    1. Registered claim names

      • iat

      • iss

      • sub

      • exp

      • nbf (optional)

      • jti (only for refreshment tokens)

    2. Public claim names (OpenID)

      • name (optional)

      • email (optional)

  3. Signature

    The signature is used to verify the message wasn’t changed along the way. The secret used to sign the token is not public and can change at any time. It is possible to configure the generation of this secret in the plug-in configuration. Signature is also encoded.

Message Authentication Code (MAC)

...

Query parameter / Signature token

Note

DEPRECATED

To allow the invocation of the token binary recovery service by placing a URL in the src attribute of an img HTML tag, it is possible to use a request parameter for this end point. To do this, use the signature token as the value of the atk parameter.

...

  • token: the token to be validated

Responses

HTTP Code

Definition

200

Token is valid

401

Token is invalid

Authentication

This end point can be invoked without authentication, but you can pass the access or refresh token to Bearer in the Authorization header. In this case, it will be checked and compared to the token passed as a parameter and you may get a 401 Unauthorized error in response if the tokens do not conform. However, the expiration of the access token is never verified in order to be able to obtain a new access token after its expiration.

...