Skip to content

Issuing temporary access tokens

Jump to bottom Edit New page
Joerg Boeselt edited this page Apr 17, 2018 · 10 revisions

Introduction

You can create a temporary token for basic authentication associated with a specific user. A great use-case for this function is the creation of temporary authentication tokens by a trusted resource, such as an LMS that is used to launch activities that communicate directly with lxHive.

Here is an example workflow that we had in mind. LMS-LRS workflow

Endpoint

The access token endpoint is available at /auth/tokens.

CRUD

Every CRUD verb is supported (however, PUT currently acts the same as a POST). All requests must be authenticated via an existing token (using either Basic authentication or OAuth) which has super privileges.

POST

The full JSON body (when providing all parameters) for the POST request should looks like this.

Request
{
    "user": {
        "email": "john@example.com",
        "password": "test",
        "permissions": [
            "statements/read",
            ...
        ]
    },
    "name": "Test",
    "description": "A test token.",
    "expiresAt": "2015-05-05T12:00:00Z",
    "scopes": [
        "statements/read",
        ...
    ]
}

The only strictly required parameter is user.email. A new user will be created if the user doesn't exist.

Please note: if you omit the user.password parameter then the user will not be able to login via OAuth.

The permission array matches the one described in the xAPI spec, with some additional permissions:

  • super: enables administration
  • attachments: enables uploading attachments

expiresAt should be an ISO8601 conformant string OR a unix timestamp.

The default expiry time is 3600 seconds (1 hour) (#222). The default user permission (when creating a new user) is all, enabling access to all xAPI endpoints.

Response
{
  "key": "aps8ULsOYw63pv5Yl7RNhwlsaqIGbshydyj3xd5Y",
  "secret": "wz3zoXsY0HdiZecVdSbLqnxBapYcEIehuqtgDfhT",
  "expiresAt": 123123123123,
  "expiresIn": 121683831139,
  "createdAt": 1439291984,
  "expired": false,
  "scopes": [
    {
      "name": "all",
      "description": "Full access"
    }
  ],
  "user": {
    "email": "jakob@qy.si",
    "permissions": [
      {
        "name": "all",
        "description": "Full access"
      }
    ]
  }
}

DELETE

You delete a basic access token by making a DELETE request with the query parameters key and secret, containing the respective properties of the token you want to delete. A 204 No Content is then returned.

GET

You can fetch an access token with a GET request by providing the query parameters key and secret. The format of the response matches the one given to a POST request (useful for checking if your key has expired yet).

Add a custom footer
Add a custom sidebar
Clone this wiki locally