Versions Compared

Old Version 5

changes.mady.by.user Manuel Fachal

Saved on

compared with

New Version 6

changes.mady.by.user José Martínez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Like any other API, there some methods that should check the user authorizations to grant or forbid some features and data access. To standarize this behaviour all services must implement their checks in the way this wiki specifies.

...

user

...

_token

Every user has linked to its account a api_token which is created in the moment the user itself is registered on the system. This token is just a json web token with the id embedded.

For the sake of simplicity the system only uses a single token with a really long expiration date. This decision is made to avoid the auth roundtrips during long running operations, enforcing the client code to reauthenticating and generating a new token every N minutes making the code far more complex (handling auth expired errors and such). In the future this system should be able to handle multiple credentials and temporal tokens.

Service authorization

Each service should identify the user using his api_token, which returned by the login method or readable via its profile. This value should be sent using the header Authentication The login method from the User Service generates tokens that can be used for authentication with all other services. These tokens have a default expiration time of 1 hour from the moment they have been generated and must be renewed (a renewal method that returns a new token to a signed-in user is coming soon). Tokens for special operations or users may have different expiration times.

Service authorization

The user_token value must be sent using the Authorization HTTP header using the following format:

Code Block
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

 

Once the token is available on the securized service, it should rely on the user service to perform the authentication checking

For example, if our service requires the user has a specific role granted on a specific instance the check using python requests would look like:

Code Block
languagepy
current_user_token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ'
end_point = 'https://user.api.empathybroker.com/user/{token}/is_authorized'
req_params = {'instance': 'my_instance', 'any_of': ['role1', 'role2']}
req_headers = {'Authentication', 'Bearer {token}'.format(token=current_user_token)}

# the req_headers is mandatory since you must identify yourself to be able to check your credentials
# in order to avoid information disclosure.
requests.get(end_point.format(token=current_user_token), params=req_params, headers=req_headers)