Security Architecture
The first path that matches is the final authentication result. Any security module may throw exceptions that bypass this behavior, for example BadRequestException
, RedirectException
or UnauthorizedException
.
User and Password
POST /auth
Arguments
Name | Type | Is Required | Default Value |
---|---|---|---|
user | Parameter | Yes |
|
password | Parameter | Yes |
|
locale | Parameter | No | RO |
Given
A valid username.
A valid password.
When
The route is accessed.
Then
The user is authenticated against the security service.
Returns a WebSecurityAndToken.
Behaviour
HEAD /auth
Arguments
Name | Type | Is Required | Default Value |
---|---|---|---|
logout | Parameter | No |
|
one.erp.rest.auth.token | Cookie | No |
|
Given
A non empty logout parameter.
When
The route is accessed.
Then
The user identified by the token cookie is logged off from the security service.
Returns a WebSecurityAndToken that signifies the user has been logged off.
API Key
GET | POST | PUT | DELETE /**
Arguments
Name | Type | Is Required | Default Value |
---|---|---|---|
apiKey | Parameter | No |
|
X-API-Key | Header | No |
|
Given
A valid hash of an API key.
An user can be impersonated using the API key.
When
The route is accessed.
Then
Returns a WebSecurityAndToken with a private token that can impersonate the API key owner.
OAuth
GET /oauth/${providerName}
Arguments
Name | Type | Is Required | Default Value |
---|---|---|---|
state | Parameter | Yes |
|
code | Parameter | Yes |
|
Action
If the state is valid it will obtain the
auth token
using the specifiedcode
and then redirect the user to theredirectUrl
specified in the state parameter. The obtained token is registered with the web token service.If the
state
orcode
are invalid it will throw aBadRequestException
.
GET | POST | PUT | DELETE /**
Name | Type | Is Required | Default Value |
---|---|---|---|
auth.strategy | Cookie | Yes |
|
auth._refresh_token.${providerName} | Cookie | Yes |
|
Given
A provider that can handle the required strategy exists.
The refresh token can be used to obtain a valid web token.
When
The route is accessed.
Then
The new token is obtained and registered with the web token service.
Returns a WebSecurityAndToken.
Cookie
GET | POST | PUT | DELETE /**
Name | Type | Is Required | Default Value |
---|---|---|---|
one.erp.rest.auth.token | Cookie | Yes |
|
one.erp.rest.locale | Cookie | No | RO |
Given
A token that the web token service recognizes.
When
The route is accessed.
Then
The token can be refreshed if necessary.
The token can be validated against the security service.
Returns a WebSecurityAndToken.