Login

Invoke the kubernetes-login operation

This RPC can be used for login using a Kubernetes Service Account token.

Request
Request Body schema:
tenant
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
service
required
string <name>
role
required
string <name>
jwt
required
string
Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/kubernetes-login
Request samples
tenant: telco
service: minikube
role: default
jwt: eyJhbGciOiJSUzI1NiIsImtpZCI6IlM0WC1vV3lqazFWVnZRNG9QUWg2c2owakItUF9wdzU2NVhBc0c2RE9PbmcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwcC1hLXRva2VuLWY5anBzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFwcC1hIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYWZiNDZkNjAtZWQ3Mi00YTAwLTk5MmYtM2QyYzE5YjMyOGE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YXBwLWEifQ.ZMrUeVWV-umxU07WZEYFUcYdSTnVSCvsBQH54yGIOzkWWknNMw9dYwGP9g_lOMwmmSCx0v54q4EAq-2CLsRrct9_zyW7W9oXRDCgr3uyCmzJpH8yUeVmPNHb60kZdP3EmjGIXseUJexd_CO82VCcH-eKdSpjkOaEYsJJ6dAZ451z9DkXQtNX9Ct0NuSbzA9mwDxPcSfjMYn_fBhSwdi-X8V5OxIxkw43V2nzb9nPesKzFxZAIr6JU7qHoUEbznfZZ4j7FbROjOZOloqSiA7TdUu1oEbNWj2zqUHvyWps_Gxl39z_Yl3azY_M6kUeuDbgrLrC4QFX9b1X6nXAkKTLcA
Response samples
token: acd71235-18ec-4035-a4c0-7a79e1bd1ded
expires-in: 2764800
expires: 2022-01-12T15:49:54.078484Z
accessor: 601ab2f4-9e3a-4e1e-9a99-81aff088cf0e
creation-time: 2022-01-11T15:49:54.078484Z
renewal-time: 2022-01-11T15:49:54.078484Z

Invoke the login operation

Authenticate towards the system. Providing a tenant is optional, if the username is unique in the system.

Request
Request Body schema:
username
required
string <username>
password
required
string
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
otp
string

Optionally an OTP can be supplied. If an OTP is required and not provided, then an error message will be returned indicating that.

cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/login
Request samples
username: joe@popcorn-systems.com
password: secret-password
tenant: popcorn-systems
otp: "345789"
cookie: false
Response samples
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z
totp-required: true
totp-enabled: true

Invoke the oidc-callback operation

Last step of the OIDC login process. The OIDC server redirects the client to this RPC with the proper state and code. If authentication is successful a valid token is returned.

Request
Request Body schema:
state
string
code
string
nonce
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-callback
Request samples
state: addbf712-95d1-4058-be82-45b76fc04e5c
code: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
nonce: ee8342cc-7273-4409-99c6-3ca5d894652e
Response samples
message: Login succeeded
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z

Invoke the oidc-login operation

This RPC can be used for login through the OIDC facility. The typical flow from a web backend is:

  1. invoke oidc-login and get a redirect url back
  2. redirect client to url from 1.
  3. when the oidc server is done it will redirect to a callback with code and state as query parameters. Invoke oidc-callback with the same code and state
  4. oidc-callback will return a valid token, same as the login rpc.

Note that it is possible to do an oidc-login without any parameters. The auction will then look for an oidc configuration at the sys tenant, and if that is missing look for an oidc config at the edge-provider tenant. If oidc isn't provided the value default will be used.

Request
Request Body schema:
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

Defaults to system tenant, if no oidc has been configured for the system tenant, then defaults to the site provider.

oidc
string <name>

Defaults to the value of oidc-settings/default-service.

role
string <name>

Defaults to the configured default role.

terminal
boolean
Default: false
cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-login
Request samples
tenant: acme
oidc: qlik
role: default
terminal: false
cookie: false
Response samples
url: http://192.168.100.36:9000/auth?client_id=JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng&response_type=code&redirect_uri=https%3A%2F%2F192.168.100.101%3A4646%2Fv1%2Foidc-callback&scope=openid+profile+email+avassa&state=M2Q3MmU5YmMtNDhmOC00Njg0LWJmY2YtNDJlYTg2ZmQ2NmZhOmZvby5hY21lLmNvbQ%3D%3D&nonce=52b947c5-38de-4fda-95ba-fcaa34f97a5f
terminal-id: eecfbbef-f61e-4a4f-8f97-1924c089181d
state: addbf712-95d1-4058-be82-45b76fc04e5c