Authentication
Getting Application token
The pre requisite for an application to the authenticated is to get it's application token.
In order to do so the application has to register itself and has to explicitly define the APIs it will be using.
LOGIN_URL = "/api/external/authenticate/app_login"
LOGOUT_URL = "/api/external/authenticate/app_logout"
APP_REGISTER_URL = "/api/external/authenticate/application"
APP_STATUS_URL = "/api/external/application/status"
APPLICATION_AUTH_DATE = "APP_AUTH"
{
"app_id": "my.application.id",
"mandatory_perms":[
],
"optional_perms":[
]
}
The mandatory perms will have to be granted, and the optional_perms are the permissions that the application can live without.
Today, all the permissions are granted by default, but a validation step my be added
Now make the call to register the application
curl -d '{"app_id": "my.application.id","mandatory_perms":["v6.0.simple_sharing.SimpleSharing", "v6.0.nas_authentication.NasAuth"], "optional_perms":[]}' http://127.0.0.1/api/external/authenticate/application
{"req_id": 1}
This will return the request ID.
Now we have to poll until the access is granted or denied
curl http://127.0.0.1/api/external/authenticate/application/1
{"status": "granted", "token": "39b44a1824fb927ff1a357cc5085895c449a7bbd"}
Now we should store this token. It will be reused many times when requesting an application session.
Today if the permissions are incorrect you will get an error when registering.
If the validation mechanism is activated, the status has to be checked by the application. potential value for the status are
Openning a session
curl http://127.0.0.1/api/external/authenticate/app_login
{"challenge_id": 0, "challenge": "20952265714478"}
generating the challenge
challenge_result=`echo -n "$challenge$token" | openssl dgst -sha1 |awk '{print $NF}'`
curl -d "{\"app_id\": \"my.application.id\", \"challenge_id\":$challenge_id, \"secret\": \"$challenge_result\"}" http://127.0.0.1/api/external/authenticate/app_login
{"expiration_date": 1425396107, "session_token": "13dd67b7d646c71f689ce1d235af5435b49ed44c"}
Application
Now we can call the using the application session_token
curl -H"Authentication: APP_AUTH ${session_token}" -d "{\"name\": \"MonNouveauShare\"}" http://127.0.0.1/api/external/6.0/simple_sharing.SimpleSharing.create_public_share
{"share": {"__sub_version__": 0, "__version__": 6, "__type__": "Share", "__properties__": {"comment": null, "name": "MonNouveauShare", "nb_users": 0, "enabled": true, "quota": null, "external": false, "nb_groups": 0, "volume_id": 1, "public_access": 3, "id": 4}}}
Remember that a session has an expiration date. If the session expires application should reopen a session
Application User
The user authentication requires the user to log with the webboard.
In order to do so the application needs to redirect to the webboard
/?app_session_token=$app_session_token&app_path=/path_to_the_application
The dashboad will call the app_path url with the following parameters:
- app_user_status
if status equals 1 then everything is fine
else application should look at the error_id/error_text
In older version the error_id and error_text were not present
- app_user_token
The token that should be used in each requests for a given user
- error_id
Error 6 unknown application token.
Error 7 token has expired.
After some time an expired token becomes unknown so application should check both error code.
If the error is one of the above, then the application should reopen a session and restart authentication
- error_text
An human readable error text
Once the user token is retrieve the user can make some calls to the API. He will only be allowed to call the services specified by the application,
but he will have the rights of the user (admin or regular user)
curl -H"Authentication: APP_AUTH ${session_token}" -H"APP_USER: ${app_user_token}" -d "{}" http://127.0.0.1/api/external/6.0/nas_authentication.NasAuth.mySelf