Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

CFID-374: Add password strength API to UAA API doc.

Also corrected 1.1.0 release notes and updated the readme to add Vidya to
the team list and replace the reference to cf-id mailing list with the
vcap-dev google group URL.

Moved "token_key" endpoint API doc out of user management section.

Change-Id: I750654b56b52484de532a324fa92e3cbcae03902
  • Loading branch information...
commit c68ad475b2f94445ef5b83c40473e30f7e0034a4 1 parent a2a417f
@tekul tekul authored
Showing with 62 additions and 30 deletions.
  1. +6 −5 README.md
  2. +53 −23 docs/UAA-APIs.rst
  3. +3 −2 docs/releases/1.1.0.md
View
11 README.md
@@ -16,7 +16,8 @@ clients, as well as various other management functions.
* Dave Syer (`dsyer@vmware.com`)
* Luke Taylor (`ltaylor@vmware.com`)
* Joel D'Sa (`jdsa@vmware.com`)
-* Team mailing list: `cf-id@vmware.com`
+ * Vidya Valmikinathan
+* Technical forum: [vcap-dev google group](https://groups.google.com/a/cloudfoundry.org/forum/?fromgroups#!forum/vcap-dev)
* Docs: [docs/](https://github.com/cloudfoundry/uaa/tree/master/docs)
## Quick Start
@@ -88,7 +89,7 @@ You will be prompted for the client secret (`appclientsecret`), and
then you should see your username and the client id of the original
token grant on stdout, e.g.
- id: 6e1ac414-f446-4869-9b41-41f1f41b96df
+ id: 6e1ac414-f446-4869-9b41-41f1f41b96df
resource-ids:
- tokens
- openid
@@ -466,10 +467,10 @@ default in the UAA only if there are no active Spring profiles (so not
at all in `vcap`). In the UAA you can find the registation in the
`oauth-clients.xml` config file. Here's a summary:
- id: login
- secret: loginsecret
+ id: login
+ secret: loginsecret
authorized-grant-types: client_credentials
- authorities: ROLE_LOGIN
+ authorities: ROLE_LOGIN
resource-ids: oauth
### Use Cases
View
76 docs/UAA-APIs.rst
@@ -77,7 +77,7 @@ Browser Requests Code: ``GET /oauth/authorize``
HTTP/1.1 302 Found
Location: https://www.cloudfoundry.example.com?code=F45jH
-
+
* Response Codes::
302 - Found
@@ -135,7 +135,7 @@ All requests to this endpoint MUST be over SSL.
HTTP/1.1 302 Found
Location: oauth:redirecturi#access_token=2YotnFZFEjr1zCsicMWpAA&token_type=bearer
-
+
* Response Codes::
302 - Found
@@ -184,7 +184,7 @@ This endpoint mirrors the OpenID Connect ``/check_id`` endpoint, so not very RES
"user_name":"marissa",
"client_id":"vmc"
}
-
+
Notes:
* The ``user_name`` is the same as you get from the `OpenID Connect`_ ``/userinfo`` endpoint. The ``id`` field is the same as you would use to get the full user profile from ``/User``.
@@ -235,7 +235,7 @@ Login Information API: ``GET /login``
---------------------------------------
An endpoint which returns login information, e.g prompts for authorization codes or one-time passwords. This allows vmc to determine what login information it should collect from the user.
-
+
This call will be unauthenticated.
================ ===============================================
@@ -357,7 +357,7 @@ See `SCIM - Modifying with PUT <http://www.simplecloud.info/specs/draft-scim-res
}
],
"meta":{
- "version":2,
+ "version":2,
"created":"2011-11-30T21:11:30.000Z",
"lastModified":"2011-12-30T21:11:30.000Z"
}
@@ -458,30 +458,35 @@ Deleting accounts is handled in the back end logically using the `active` flag,
* Request: ``GET /Users?attributes=id,userName&filter=userName co 'bjensen' and active eq false``
* Response Body: list of users matching the filter
-Get the Token Signing Key: ``GET /token_key``
------------------------------------------------
-An endpoint which returns the JWT token key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that the key came from the UAA.
-
-This call is authenticated with client credentials using the HTTP Basic method.
+Query the strength of a password: ``POST /password/score``
+-----------------------------------------------------------
-================ ==========================================
-Request ``GET /token_key``
-Request body *empty*
-Response body *example* ::
+The password strength API is not part of SCIM but is provided as a service to allow user management applications to use the same password quality
+checking mechanism as the UAA itself. Rather than specifying a set of rules based on the included character types (upper and lower case, digits, symbols etc), the UAA
+exposes this API which accepts a candidate password and returns a JSON message containing a simple numeric score (between 0 and 10) and a required score
+(one which is acceptable to the UAA). The score is based on a calculation using the ideas from the `zxcvbn project`_
- HTTP/1.1 200 OK
- Content-Type: text/plain
+.. zxcvbn project: http://tech.dropbox.com/?p=165
- {alg:HMACSHA256, value:FYSDKJHfgdUydsFJSHDFKAJHDSF}
+The use of this API does not guarantee that a password is strong (it is currently limited to English dictionary searches, for example), but it will protect against some of
+the worst choices that people make and will not unnecessarily penalise strong passwords.
+
+* Request: ``POST /password/score
+
+ POST /password/score HTTP/1.1
+ Host: uaa.example.com
+ Content-Type: application/x-www-form-encoded
+
+ password=password1
+
+* Response
+ HTTP/1.1 200 OK
+ Content-Type: application/json
+
+ {"score": 0, "requiredScore": 5}
-================ ==========================================
-The algorithm ("alg") tells the caller how to use the value (it is the
-result of algorithm method in the `Signer` implementation used in the
-token endpoint). In this case it is an HMAC (symmetric) key, but you
-might also see an asymmetric RSA public key with algorithm
-"SHA256withRSA").
Access Token Administration APIs
=================================
@@ -548,6 +553,31 @@ Revoke Token by Client: ``DELETE /oauth/clients/{client_id}/tokens/{jti}``
HTTP/1.1 204 NO_CONTENT
+Get the Token Signing Key: ``GET /token_key``
+-----------------------------------------------
+
+An endpoint which returns the JWT token key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA.
+
+This call is authenticated with client credentials using the HTTP Basic method.
+
+================ ==========================================
+Request ``GET /token_key``
+Request body *empty*
+Response body *example* ::
+
+ HTTP/1.1 200 OK
+ Content-Type: text/plain
+
+ {alg:HMACSHA256, value:FYSDKJHfgdUydsFJSHDFKAJHDSF}
+
+================ ==========================================
+
+The algorithm ("alg") tells the caller how to use the value (it is the
+result of algorithm method in the `Signer` implementation used in the
+token endpoint). In this case it is an HMAC (symmetric) key, but you
+might also see an asymmetric RSA public key with algorithm
+"SHA256withRSA").
+
Client Registration Administration APIs
========================================
View
5 docs/releases/1.1.0.md
@@ -18,8 +18,9 @@ the scope of a token acquired on behalf of a user, as long as they are
permitted to the client.
* Password strength endpoint: POST a candidate password value to
-`/password?password={value}` and get back a strength score. The
-target strength is not yet enforced for new account creation.
+`/password/score` with a from parameter called `password` and get
+back a JSON response containing `score` and `requiredScore` values . The
+required strength score is not yet enforced for new account creation.
* Client web applications can ask for a redirect after logging out of
the UAA
Please sign in to comment.
Something went wrong with that request. Please try again.