-
Notifications
You must be signed in to change notification settings - Fork 463
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #379 from 2600hz/KAZOO-2563
Kazoo 2563
- Loading branch information
Showing
5 changed files
with
193 additions
and
85 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
/* | ||
Section: APIs | ||
Title: Token Authentication | ||
Language: en-US | ||
*/ | ||
|
||
Authentication tokens are generated using one of the authentication endpoints exposed by Crossbar. See [User Authentication](./user_authentication.md) and [API Authentication](./api_authentication.md) as examples of generating authentication tokens. | ||
|
||
Once you have an authentication token, you can access various Crossbar resource endpoints to manipulate the system or your account (provided you have the access). | ||
|
||
Authentication tokens refresh their pvt\_modified timestamp each time they are used in an API request. Once an authentication token's pvt\_modified timestamp has passed a configurable timeout (usually one hour), it is automatically cleaned up by the system and no longer valid. | ||
|
||
## Token Restrictions | ||
|
||
The authentication token can be created with restrictions on what resource URIs (and HTTP methods) can be accessed by the requestor. This payload is added to the authentication payload used in any of the authentication methods provided ([User](./user_authentication.md), [API](./api_authentication.md), etc). | ||
|
||
For example, when creating an authentication token via [API key](./api_authentication.md), include the following object to restrict the resultant authentication token to read-only: | ||
|
||
{"data":{ | ||
"api_key":"{API_KEY}" | ||
,"restrictions":{ | ||
"get":["#"] | ||
} | ||
} | ||
} | ||
|
||
AMQP binding tokens are used (`#` and `*`) to denote wildcards. An example with more fine-grained restrictions: | ||
|
||
{"data":{ | ||
"api_key":"{API_KEY}" | ||
,"restrictions":{ | ||
"get":[ | ||
"accounts/{ACCOUNT_ID}/users" | ||
,"accounts/{ACCOUNT_ID}/users/*" | ||
,"accounts/{ACCOUNT_ID}/users/*/*" | ||
] | ||
"put":[ | ||
"accounts/{ACCOUNT_ID}/users" | ||
] | ||
,"post":[ | ||
"accounts/{ACCOUNT_ID}/users/*" | ||
] | ||
,"delete":[ | ||
"accounts/{ACCOUNT_ID}/users/*" | ||
] | ||
} | ||
} | ||
} | ||
|
||
This would restrict the authentication token to only be able to access {ACCOUNT_ID}'s users resource and perform all of the CRUD actions (as well as quickcall and channel listings for a user). We can simply this restrictions object by using `*` for the method and `#` to match any URI with `/users`: | ||
|
||
{"data":{ | ||
"api_key":"{API_KEY}" | ||
,"restrictions":{ | ||
"*":["accounts/{ACCOUNT_ID}/users/#"] | ||
} | ||
} | ||
} | ||
|
||
Here the `#` matches 0 or more segments after `/users`. | ||
|
||
## API Endpoint | ||
|
||
URL segment: `/token_auth` | ||
|
||
## Sample cURL Requests | ||
|
||
### Delete an authentication token | ||
|
||
If you'd like to invalidate an authentication token programmatically (versus letting the system expire the token), you can issue a `DELETE`: | ||
|
||
curl -v -X DELETE -H "X-Auth-Token: {AUTH_TOKEN}" http://server.com:8000/v1/token_auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,7 @@ | ||
/* | ||
Section: APIs | ||
Title: User Authentication | ||
Language: en-US | ||
*/ | ||
|
||
# Generating an auth token from credentials | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.