There are two methods of authentication for the REST API, these are:
Basic Authentication (without a challenge)
Token based Authentication
With Basic Authentication, the user and password credentials are passed in with each HTTP request as follows:
$ curl --user username:password
-i -X GET -H "Accept: application/json"
http://localhost:3000/api/services/1013
Note: our version of HTTP Basic does NOT send a WWW-Authenticate challenge. Any clients which autodetect HTTP Basic from a server challenge may fail to send the necessary credentials. This can be worked around by either forcing HTTP Basic authentication if possible, or by manually creating the header:
# base64-encode a (ascii or utf-8) string of "username:password", without a trailing newline
$ echo -n 'username:password' | base64
dXNlcm5hbWU6cGFzc3dvcmQ=
# use it in the header
$ wget -SO- --header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' http://localhost:3000/api
However, for multiple REST API calls to the Appliance, it is recommended to use the Token based Authentication. In this approach, the client requests a token for the username/password credentials specified. Then the token is used in lieu of the username/password for each subsequent API call.
Authentication tokens:
Are associated with the user credentials
Provide the necessary identify for RBAC in subsequent REST API calls
Expire after a certain amount of time with no REST API activity - 10 minutes by default.
$ curl --user username:password
-i -X GET -H "Accept: application/json"
http://localhost:3000/api/auth
Response for the Authentication Token Request:
HTTP/1.1 200 OK
Content-Type: application/json
{
"auth_token": "93d98fd44cc5a401ff385ba87b21fd13",
"token_ttl": 600,
"expires_on": "2015-11-02T21:50:16Z"
}
$ curl -i -X GET -H "Accept: application/json"
-H "X-Auth-Token: 93d98fd44cc5a401ff385ba87b21fd13"
http://localhost:3000/api/services/1013
Failed response due to invalid token
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Application"
...
When a request fails due to an invalid token, the client would then need to re-authenticate with the user credentials to obtain a new Authentication Token.
While the default duration for a REST API token is 10 minutes, it is not sufficient for UI type clients where the token is needed for sessions that time-out much later.
For such environments, it is possible to request a REST API token to leverage the administrative UI session timeout. This is requested with the requester_type parameter witih the value ui as follows:
$ curl --user username:password
-i X GET -H "Accept: application/json"
http://localhost:3000/api/auth?requester_type=ui
Response for the Authentication Token Request:
HTTP/1.1 200 OK
Content-Type: application/json
{
"auth_token": "8789bcd6562beacbaf9f77927c2825e2",
"token_ttl": 3600,
"expires_on": "2015-11-02T23:24:03Z"
}
When UI based tokens are used in UI sessions, it is common for the UI to need to invalidate an authentication token upon logout. This is made available via the DELETE HTTP method on the token authenticated /api/auth as follows:
$ curl -i -X DELETE -H "Accept: application/json"
-H "X-Auth-Token: 93d98fd44cc5a401ff385ba87b21fd13"
http://localhost:3000/api/auth
Response for the token DELETE request:
HTTP/1.1 204 No Content
| Requester Type | Default Value |
|---|---|
| Configure→Configuration→Advanced | Default |
| 10 minutes | api: → token_ttl: 10.minutes |
| ui | 1 hour |