...
Each service should identify the user using his api_token, which returned by the login method or readable via its profile. This value should be sent using the header Authentication using the following format:
Code Block |
---|
Authentication: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ |
Once the token is available on the securized service, it should rely on the user service to perform the authentication checking.
For example, if our service requires the user has a specific role granted on a specific instance the check using python requests would look like:
Code Block | ||
---|---|---|
| ||
current_user_token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ'
end_point = 'https://user.api.empathybroker.com/user/{token}/is_authorized'
req_params = {'instance': 'my_instance', 'any_of': ['role1', 'role2']}
req_headers = {'Authentication', 'Bearer {token}'.format(token=current_user_token)}
# the req_headers is mandatory since you must identify yourself to be able to check your credentials
# in order to avoid information disclosure.
requests.get(end_point.format(token=current_user_token), params=req_params, headers=req_headers) |