Powered by Redocly

Login

Invoke the kubernetes-login operation

This RPC can be used for login using a Kubernetes Service Account token.

Request
Request Body schema:
tenant
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
service
required
string <name>
role
required
string <name>
jwt
required
string
Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/kubernetes-login
Request samples 
tenant: telco
service: minikube
role: default
jwt: eyJhbGciOiJSUzI1NiIsImtpZCI6IlM0WC1vV3lqazFWVnZRNG9QUWg2c2owakItUF9wdzU2NVhBc0c2RE9PbmcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwcC1hLXRva2VuLWY5anBzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFwcC1hIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYWZiNDZkNjAtZWQ3Mi00YTAwLTk5MmYtM2QyYzE5YjMyOGE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YXBwLWEifQ.ZMrUeVWV-umxU07WZEYFUcYdSTnVSCvsBQH54yGIOzkWWknNMw9dYwGP9g_lOMwmmSCx0v54q4EAq-2CLsRrct9_zyW7W9oXRDCgr3uyCmzJpH8yUeVmPNHb60kZdP3EmjGIXseUJexd_CO82VCcH-eKdSpjkOaEYsJJ6dAZ451z9DkXQtNX9Ct0NuSbzA9mwDxPcSfjMYn_fBhSwdi-X8V5OxIxkw43V2nzb9nPesKzFxZAIr6JU7qHoUEbznfZZ4j7FbROjOZOloqSiA7TdUu1oEbNWj2zqUHvyWps_Gxl39z_Yl3azY_M6kUeuDbgrLrC4QFX9b1X6nXAkKTLcA
Response samples 
token: acd71235-18ec-4035-a4c0-7a79e1bd1ded
expires-in: 2764800
expires: 2022-01-12T15:49:54.078484Z
accessor: 601ab2f4-9e3a-4e1e-9a99-81aff088cf0e
creation-time: 2022-01-11T15:49:54.078484Z
renewal-time: 2022-01-11T15:49:54.078484Z

Invoke the login operation

Authenticate towards the system. Providing a tenant is optional, if the username is unique in the system.

Request
Request Body schema:
username
required
string <username>
password
required
string
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
otp
string

Optionally an OTP can be supplied. If an OTP is required and not provided, then an error message will be returned indicating that.

cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/login
Request samples 
username: joe@popcorn-systems.com
password: secret-password
tenant: popcorn-systems
otp: "345789"
cookie: false
Response samples 
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z
totp-required: true
totp-enabled: true

Invoke the oidc-callback operation

Last step of the OIDC login process. The OIDC server redirects the client to this RPC with the proper state and code. If authentication is successful a valid token is returned.

Request
Request Body schema:
state
string
code
string
nonce
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-callback
Request samples 
state: addbf712-95d1-4058-be82-45b76fc04e5c
code: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
nonce: ee8342cc-7273-4409-99c6-3ca5d894652e
Response samples 
message: Login succeeded
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z

Invoke the oidc-login operation

This RPC can be used for login through the OIDC facility. The typical flow from a web backend is:

  1. invoke oidc-login and get a redirect url back
  2. redirect client to url from 1.
  3. when the oidc server is done it will redirect to a callback with code and state as query parameters. Invoke oidc-callback with the same code and state
  4. oidc-callback will return a valid token, same as the login rpc.

Note that it is possible to do an oidc-login without any parameters. The auction will then look for an oidc configuration at the sys tenant, and if that is missing look for an oidc config at the edge-provider tenant. If oidc isn't provided the value default will be used.

Request
Request Body schema:
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

Defaults to system tenant, if no oidc has been configured for the system tenant, then defaults to the site provider.

oidc
string <name>

Defaults to the value of oidc-settings/default-service.

role
string <name>

Defaults to the configured default role.

terminal
boolean
Default: false
cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-login
Request samples 
tenant: acme
oidc: qlik
role: default
terminal: false
cookie: false
Response samples 
url: http://192.168.100.36:9000/auth?client_id=JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng&response_type=code&redirect_uri=https%3A%2F%2F192.168.100.101%3A4646%2Fv1%2Foidc-callback&scope=openid+profile+email+avassa&state=M2Q3MmU5YmMtNDhmOC00Njg0LWJmY2YtNDJlYTg2ZmQ2NmZhOmZvby5hY21lLmNvbQ%3D%3D&nonce=52b947c5-38de-4fda-95ba-fcaa34f97a5f
terminal-id: eecfbbef-f61e-4a4f-8f97-1924c089181d
state: addbf712-95d1-4058-be82-45b76fc04e5c

Invoke the passkey-challenge operation

Create a passkey challenge

Request
Request Body schema:
username
required
string <username>

This is a mandatory field representing the username of the user trying to log in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

This is an optional field that specifies the tenant (organization) the user is associated with.

terminal-id
string

This should only be set if the request originated through a command line passkey login request.

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-challenge
Request samples 
username: johndoe
tenant: example-tenant
terminal-id: f5dc5c45-0f7f-477d-8638-7e1398761a23
Response samples 
challenge: Z2hXb1pRcU82eHlvbWt1UEFRY2I=
rpId: example.com
allowedCredentials:
  - id: A1B2C3D4E5F6G7H8I9J0
    type: public-key
  - id: H7I8J9K0L1M2N3O4P5Q6
    type: public-key
timeout: 60000

Invoke the passkey-login operation

Initiates passkey login from the command line.

Request
Request Body schema:
username
required
string <username>

The username of the user logging in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

The tenant (optional), which refers to the organization the user is associated with.

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-login
Request samples 
username: johndoe
tenant: example-tenant
Response samples 
url: https://login.avassa.io?terminal_id=f5dc5c45-0f7f-477d-8638-7e1398761a23
terminal-id: f5dc5c45-0f7f-477d-8638-7e1398761a23

Invoke the passkey-login-assertion operation

Performs a passkey login with the parameters signed by the browser.

Request
Request Body schema:
username
required
string <username>

The username of the user logging in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

The tenant (optional), which refers to the organization the user is associated with.

credentialId
required
string

The identifier of the passkey credential used for the login attempt.

required
object
Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-login-assertion
Request samples 
username: johndoe
tenant: example-tenant
credentialId: A1B2C3D4E5F6G7H8I9J0
response:
  authenticatorData: q2x3fGZvbUdlWGR3dz09YXV0aGVudGljYXRvcg==
  clientDataJSON: eyAiY2hhbGxlbmdlIjogIlpITm1MMEZ1WVc0PSIsICJvcmlnaW4iOiAiaHR0cHM6Ly9leGFtcGxlLmNvbSIsICJ0eXBlIjogIndlYmF1dGhuLmdldCIsICJjcm9zc09yaWdpbiI6IGZhbHNlIH0=
  signature: MEUCIQD2d45ksjdflkj343sldkjflskdfjslkdjf4=
  userHandle: abcd1234
Response samples 
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huZG9lIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
expires-in: 3600
expires: 2024-09-27T12:34:56Z
accessor: some-accessor-identifier
creation-time: 2024-09-27T11:34:56Z
renewal-time: 2024-09-27T11:34:56Z
➔ Next to Logout