Security Architecture

The first path that matches is the final authentication result. Any security module may throw exceptions that bypass this behavior, for example BadRequestException, RedirectException or UnauthorizedException.

User and Password

POST /auth

Arguments

Given

1. A valid username.

2. A valid password.

When

1. The route is accessed.

Then

1. The user is authenticated against the security service.

2. Returns a WebSecurityAndToken.

Behaviour

HEAD /auth

Arguments

Given

1. A non empty logout parameter.

When

1. The route is accessed.

Then

1. The user identified by the token cookie is logged off from the security service.

2. Returns a WebSecurityAndToken that signifies the user has been logged off.

API Key

GET | POST | PUT | DELETE /**

Arguments

Given

1. A valid hash of an API key.

2. An user can be impersonated using the API key.

When

1. The route is accessed.

Then

1. Returns a WebSecurityAndToken with a private token that can impersonate the API key owner.

OAuth

GET /oauth/${providerName}

Arguments

Action

1. If the state is valid it will obtain the auth token using the specified code and then redirect the user to the redirectUrl specified in the state parameter. The obtained token is registered with the web token service.

2. If the state or code are invalid it will throw a BadRequestException.

GET | POST | PUT | DELETE /**

Given

1. A provider that can handle the required strategy exists.

2. The refresh token can be used to obtain a valid web token.

When

1. The route is accessed.

Then

1. The new token is obtained and registered with the web token service.

2. Returns a WebSecurityAndToken.

Cookie

GET | POST | PUT | DELETE /**

Given

1. A token that the web token service recognizes.

When

1. The route is accessed.

Then

1. The token can be refreshed if necessary.

2. The token can be validated against the security service.

3. Returns a WebSecurityAndToken.