Powered by Redocly

Login

Invoke the kubernetes-login operation

This endpoint can be used for login using a Kubernetes Service Account token.

Request
Request Body schema:
tenant
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
service
required
string <name>
role
required
string <name>
jwt
required
string
Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/kubernetes-login
Request samples 
tenant: telco
service: minikube
role: default
jwt: eyJhbGciOiJSUzI1NiIsImtpZCI6IlM0WC1vV3lqazFWVnZRNG9QUWg2c2owakItUF9wdzU2NVhBc0c2RE9PbmcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwcC1hLXRva2VuLWY5anBzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFwcC1hIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYWZiNDZkNjAtZWQ3Mi00YTAwLTk5MmYtM2QyYzE5YjMyOGE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YXBwLWEifQ.ZMrUeVWV-umxU07WZEYFUcYdSTnVSCvsBQH54yGIOzkWWknNMw9dYwGP9g_lOMwmmSCx0v54q4EAq-2CLsRrct9_zyW7W9oXRDCgr3uyCmzJpH8yUeVmPNHb60kZdP3EmjGIXseUJexd_CO82VCcH-eKdSpjkOaEYsJJ6dAZ451z9DkXQtNX9Ct0NuSbzA9mwDxPcSfjMYn_fBhSwdi-X8V5OxIxkw43V2nzb9nPesKzFxZAIr6JU7qHoUEbznfZZ4j7FbROjOZOloqSiA7TdUu1oEbNWj2zqUHvyWps_Gxl39z_Yl3azY_M6kUeuDbgrLrC4QFX9b1X6nXAkKTLcA
Response samples 
token: acd71235-18ec-4035-a4c0-7a79e1bd1ded
expires-in: 2764800
expires: 2022-01-12T15:49:54.078484Z
accessor: 601ab2f4-9e3a-4e1e-9a99-81aff088cf0e
creation-time: 2022-01-11T15:49:54.078484Z
renewal-time: 2022-01-11T15:49:54.078484Z

Invoke the login operation

Authenticate towards the system. Providing a tenant is optional, if the username is unique in the system.

Request
Request Body schema:
username
required
string <username>
password
required
string
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
otp
string

Optionally an OTP can be supplied. If an OTP is required and not provided, then an error message will be returned indicating that.

cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/login
Request samples 
username: joe@popcorn-systems.com
password: secret-password
tenant: popcorn-systems
otp: "345789"
cookie: false
Response samples 
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z
totp-required: true
totp-enabled: true
passkey-required: true
passkey-enabled: true

Invoke the oidc-callback operation

This endpoint completes the OpenID Connect (OIDC) authentication process.

Workflow:

  1. After successful authentication, the OIDC provider redirects the client to this endpoint (or an equivalent web backend endpoint that forwards the request).

  2. The request must include the following query parameters:

    • state: A unique value used to prevent CSRF attacks.
    • code: The authorization code used to obtain a token.
    • nonce (optional): A value originally provided by the client to prevent replay attacks.

  3. If authentication is successful, a valid token is returned.

Expected Input:

  • The state and code parameters are required and must match the expected values.
  • The nonce parameter is optional but is verified if present.

Response:

  • A valid authentication token.
  • A message field containing additional information about the authentication result.

Security Considerations:

  • Ensure that the state value is validated to mitigate CSRF attacks.
  • If a nonce was provided during login, it is checked to prevent replay attacks.
  • All input parameters are marked as sensitive and should be handled securely.

This endpoint is typically called by frontend applications or backend services handling the OIDC login flow.

Request
Request Body schema:
state
string
code
string
nonce
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-callback
Request samples 
state: addbf712-95d1-4058-be82-45b76fc04e5c
code: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
nonce: ee8342cc-7273-4409-99c6-3ca5d894652e
Response samples 
message: Login succeeded
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z

Invoke the oidc-callback operation

This endpoint completes the OpenID Connect (OIDC) authentication process.

Workflow:

  1. After successful authentication, the OIDC provider redirects the client to this endpoint (or an equivalent web backend endpoint that forwards the request).

  2. The request must include the following query parameters:

    • state: A unique value used to prevent CSRF attacks.
    • code: The authorization code used to obtain a token.
    • nonce (optional): A value originally provided by the client to prevent replay attacks.

  3. If authentication is successful, a valid token is returned.

Expected Input:

  • The state and code parameters are required and must match the expected values.
  • The nonce parameter is optional but is verified if present.

Response:

  • A valid authentication token.
  • A message field containing additional information about the authentication result.

Security Considerations:

  • Ensure that the state value is validated to mitigate CSRF attacks.
  • If a nonce was provided during login, it is checked to prevent replay attacks.
  • All input parameters are marked as sensitive and should be handled securely.

This endpoint is typically called by frontend applications or backend services handling the OIDC login flow.

Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

state
string
code
string
nonce
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/oidc-callback
Response samples 
message: Login succeeded
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z

Invoke the oidc-login operation

This endpoint initiates an OpenID Connect (OIDC) authentication flow, typically used by web applications to authenticate users.

Workflow:

  1. Invoke oidc-login to obtain a redirect URL.
  2. Redirect the client to the provided URL for authentication with the OIDC provider.
  3. Once authentication is complete, the OIDC provider redirects the client to the configured callback URL, including code, state, and optionally nonce as query parameters. The callback URL may be the oidc-callback endpoint directly, or a callback in the web backend that performs 4.
  4. Call oidc-callback with these parameters to complete authentication and receive a valid token.

Default Behavior:

  • If no parameters are provided, the system:
    • First checks for an OIDC configuration at the system tenant.
    • If unavailable, it checks the edge-provider tenant.
    • If no OIDC configuration is found, the default value is used.

This endpoint supports login initiation with optional parameters to specify the tenant, OIDC provider, and role.

Request
Request Body schema:
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

Defaults to system tenant, if no oidc has been configured for the system tenant, then defaults to the site provider.

oidc
string <name>

Defaults to the value of oidc-settings/default-service.

role
string <name>

Defaults to the configured default role.

terminal
boolean
Default: false
cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-login
Request samples 
tenant: acme
oidc: qlik
role: default
terminal: false
cookie: false
Response samples 
url: http://192.168.100.36:9000/auth?client_id=JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng&response_type=code&redirect_uri=https%3A%2F%2F192.168.100.101%3A4646%2Fv1%2Foidc-callback&scope=openid+profile+email+avassa&state=M2Q3MmU5YmMtNDhmOC00Njg0LWJmY2YtNDJlYTg2ZmQ2NmZhOmZvby5hY21lLmNvbQ%3D%3D&nonce=52b947c5-38de-4fda-95ba-fcaa34f97a5f
terminal-id: eecfbbef-f61e-4a4f-8f97-1924c089181d
state: addbf712-95d1-4058-be82-45b76fc04e5c

Invoke the oidc-validate-state operation

This endpoint validates the integrity of the state parameter before performing any additional redirects during an OpenID Connect (OIDC) authentication flow.

Purpose:

  • The state parameter is used to prevent CSRF attacks and track authentication sessions in OIDC.
  • Some backend implementations may inspect state to determine an additional redirect URL based on its contents, such as a state-addition field.
  • Since any such redirect URL is not verified by the OIDC provider, this endpoint can be used to ensure that state remains unchanged before executing any redirection. A HMAC can also be added to ensure that the state has not been manipulated. This is configured using the state-hmac-key setting.

Expected Input:

  • state (required): A unique value originally sent in the OIDC authentication request.
  • Additional fields may be present in the request but are ignored.

Response:

  • valid (boolean): Returns true if the state is unchanged, ensuring that no CSRF attack is in progress.

Use Case:

  • When a backend wants to introduce an additional redirect based on the state contents, it can use this endpoint to verify the state before proceeding.
  • This extra validation step helps mitigate CSRF attacks, ensuring that only valid authentication flows proceed.
Request
Request Body schema:
state
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-validate-state
Request samples 
state: addbf712-95d1-4058-be82-45b76fc04e5c
Response samples 
valid: true

Invoke the passkey-challenge operation

Create a passkey challenge

Request
Request Body schema:
username
required
string <username>

This is a mandatory field representing the username of the user trying to log in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

This is an optional field that specifies the tenant (organization) the user is associated with.

terminal-id
string

This should only be set if the request originated through a command line passkey login request.

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-challenge
Request samples 
username: johndoe
tenant: example-tenant
terminal-id: f5dc5c45-0f7f-477d-8638-7e1398761a23
Response samples 
challenge: Z2hXb1pRcU82eHlvbWt1UEFRY2I=
rpId: example.com
allowedCredentials:
  - id: A1B2C3D4E5F6G7H8I9J0
    type: public-key
  - id: H7I8J9K0L1M2N3O4P5Q6
    type: public-key
timeout: 60000

Invoke the passkey-login operation

Initiates passkey login from the command line.

Request
Request Body schema:
username
required
string <username>

The username of the user logging in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

The tenant (optional), which refers to the organization the user is associated with.

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-login
Request samples 
username: johndoe
tenant: example-tenant
Response samples 
url: https://login.avassa.io?terminal_id=f5dc5c45-0f7f-477d-8638-7e1398761a23
terminal-id: f5dc5c45-0f7f-477d-8638-7e1398761a23

Invoke the passkey-login-assertion operation

Performs a passkey login with the parameters signed by the browser.

Request
Request Body schema:
username
required
string <username>

The username of the user logging in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

The tenant (optional), which refers to the organization the user is associated with.

credentialId
required
string

The identifier of the passkey credential used for the login attempt.

required
object
Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-login-assertion
Request samples 
username: johndoe
tenant: example-tenant
credentialId: A1B2C3D4E5F6G7H8I9J0
response:
  authenticatorData: q2x3fGZvbUdlWGR3dz09YXV0aGVudGljYXRvcg==
  clientDataJSON: eyAiY2hhbGxlbmdlIjogIlpITm1MMEZ1WVc0PSIsICJvcmlnaW4iOiAiaHR0cHM6Ly9leGFtcGxlLmNvbSIsICJ0eXBlIjogIndlYmF1dGhuLmdldCIsICJjcm9zc09yaWdpbiI6IGZhbHNlIH0=
  signature: MEUCIQD2d45ksjdflkj343sldkjflskdfjslkdjf4=
  userHandle: abcd1234
Response samples 
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huZG9lIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
expires-in: 3600
expires: 2024-09-27T12:34:56Z
accessor: some-accessor-identifier
creation-time: 2024-09-27T11:34:56Z
renewal-time: 2024-09-27T11:34:56Z
➔ Next to Logout