blob: 8db2339024b5a4a5400acdfefe724e2b6819a287 [file] [log] [blame]
authAndAuth@openK - Backend REST-Service documentation
:Author: Frank Dietrich
:Date: 2017-07-12
:Revision: 1
:source-highlighter: highlightjs
:highlightjs-theme: solarized_dark
== Base-URL
== Common Features
All services may return the following http status codes:
|Code|Description|Usage within the application
|400|Bad Request|The structure of the request (for example a JSON within a post request) is not correct
|401|Unauthorized|Login-credentials are wrong or there is an invalid session token
|500|Internal Server Error|An unexpected error occurred
If there is a special service behavior regarding the returned http status code, then it will be explained within the service description.
== Protection
The protection of services is implemented by a security token following the JWT (JSON Web Token) specification:
The *“login”*-service provides a JWT, when called with valid user-credentials.
The security token (access token) (which is part of the JWT) has always to be provided with the
HTTP-Header-Parameter "Authorization", in order to access a secured services later on.
=== JSON Web Token
The token has several purposes. A typical client of the Auth&Auth-Service needs to use
the following features:
. *access token* to access functions of a secured service
. *user-information* to get extended information about the own user
. *user-roles* of the own user.
Even though JWT is a defined standard, we only will describe those features inside this document,
which are directly used by the Auth&Auth-Service.
Generally JWT uses *base64-encoding*. The data, that is stored in a token is always
encoded with *base64*.
The data in the examples has been shortened. Real examples would be very long and hard to read.
==== Access token
The *access token* can be directly found in the field "access_token" within the JWT.
==== User-Information/UserRoles
The 2nd part (between the first and the second period *"."* - in this example "'eyBBB'") of the access-token is called the *"access-token-payload"*. When decoded from Base64 it could
look like this:
"name":"Hugo Boss",
The configured roles of the user can be determined from the json array:
* *realm_access"*
user information can be found in the fields:
* *"name"*
* *"perferred_username"*
* *"given_name"*
* *"family_name"*.
== Services
=== Receive Version Information
This service returns the current version of the backend implementation and the version of the database structure.
*URL:* /versionInfo
*Method:* GET
*Produces*: application/json
"backendVersion": "0.1.1-Snapshot"
*Protection*: none
=== Login
This service receives login credentials in order to perform the authentication. If the login succeeds,
it provides a valid JWT, used for accessing other services later on.
*URL:* /login
*Method:* POST
"userName": "Mustermann",
"password": "clearpassword"
*Produces*: application/json
JWT (JSON Web Token)
*Remarks*: See chapter "*JWT*" for detailed informations about the features of the returned token.
=== Logout
This services kills the server session belonging to the the given session token.
*URL:* /logout
*Method:* POST
* Authorization – Existing access token
*Produces*: application/json
=== CheckAuthorization
This services receives a JWT in the "Authorization" Http header and checks, if its still valid.
If it is valid, it resets the inactivity time for that token.
*URL:* /checkAuth
*Method:* GET
* Authorization – Existing access token
*Produces*: application/json
"ret": "OK"
*Remarks*: This service return OK when the provided token is still valid. Otherwise it returns a 401 - "Unauthorized" Http Code.
=== Get user modules for the current user
This service returns the modules for which the user is authorized.
*URL:* /userModulesForUser
*Method:* GET
* Authorization – Existing access token
*Produces*: application/json
*Remarks*: This service checks if the currently logged in user has the role "requiredRole" in its JWT and
returns the modules he is authorized for.
=== Get all users for a specific role
This service returns all users belonging to the specified role.
*URL:* /usersForRole/{userRole}
*Method:* GET
*Path-Parameter*: userRole
* The role name like it is defined in Keycloak
* Authorization Existing access token
*Produces*: application/json
"id": "359ef9c9-77df-4a3d-a9c9-f96d837d2d57",
"createdTimestamp": 1501594173784,
"username": "admin",
"enabled": true,
"totp": false,
"emailVerified": false,
"firstName": "Administrator",
"lastName": "Administratowich",
"realmRoles": [
"disableableCredentialTypes": [
"requiredActions": [],
"access": {
"manageGroupMembership": false,
"view": true,
"mapRoles": false,
"impersonate": false,
"manage": false
"id": "c4b78aa7-91d2-45d7-8ca3-163156d9ee40",
"createdTimestamp": 1501594239066,
"username": "hugo",
"enabled": true,
"totp": false,
"emailVerified": false,
"firstName": "Hugo",
"lastName": "Boss",
"realmRoles": [
"disableableCredentialTypes": [
"requiredActions": [],
"access": {
"manageGroupMembership": false,
"view": true,
"mapRoles": false,
"impersonate": false,
"manage": false
=== Get health state
This service returns the health state of this module.
*URL:* /healthcheck/pretty=true
*Method:* GET
* Authorization none
*Produces*: application/json
If the module is healthy then...
{"Keycloak present":{"healthy":true}}
If the module is *not* healthy...
"Keycloak present":
"message":"<Error message>"