Http API + Authentication


(Jens) #1

Thats a great new feature.
Can you post a snippet of the 3rd part of the introduction post or an example for a valid IAuthenticationManager implementation please?

I’m not sure how do I have to use the IApiSession and how to handle the request and whats to do with the response.

(antonk) #3

Sorry for a way too belated answer.

There are 2 built-in auth managers:

  • RemObjects.SDK.Server\HttpApi\Implementation\ApiDefaultAuthenticationManager.cs
  • RemObjects.SDK.Server\HttpApi\Implementation\ApiSimpleAuthenticationManager.cs

First one is used by default. It does literally nothing in terms of authentication.

Let’s take a closer look at the ApiSimpleAuthenticationManager manager.

It provides 4 methods: ReadAuthenticationInfo, WriteAuthenticationInfo, DescribeServerSecurity, DescribeMethodSecurity

Methods DescribeServerSecurity and DescribeMethodSecurity are used when the OpenAPI (Swagger) server metadata is generated.

You’ll need to refer to OpenAPI format definition if you’ll need to provide your own customized securityDefinitions and security tags. For the usual approach where auth info is passed via a Http header you can reuse the existing implementation code.

The ReadAuthenticationInfo method analyzes the incoming request and extracts session info from it. Existing implementation just reads value of the Access-Token Http header and uses it as a session Id, leaving rest of the work to the session manager.

For a more sophisticated case like JWT sessions this method would have to extract the header value, decode it as a JWT-encoded session, put this session into the session manager (no worries, this is an encerdibly fast operation for the memory session manager) and then return the IApiSession instance.

The WriteAuthenticationInfo method just writes the current session id into the response headers.

In a JWT case one would have to encode the session, put it into the header and then remove the session from the session manager.

IApiSession provides 2 fields:

  • ClientToken - actual value of the client token in the request (f.e. an OAuth token). Not used atm and most probably will be removed in the v10
  • SessionId - id of the corresponding RO SDK session

So the auth scenario for the Simple auth manager

  1. Client calls a LogIn method and gets back the access token. This token can be sent as a result of the LogIn method (in this case a separate LogIn method will be required for HttpAPI) or it can be extracted client-side from response headers (if the communication lib used allows this).

  2. Client adds this access token to all subsequent calls as Http header value "Access-Token"

– Note: I’ll log an issue to make the auth header name configurable

(RemObjects) #4

Thanks, logged as bugs://81704