7. JWT authentication
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
What is supported:
REST login use JWT standard
Support local JSON based user management and LDAP users
Provide login and auth API to run as a stand-alone JWT server
Support centralized user & role DB server by Consul
What is not supported:
Redirect authentication to another JWT server is not supported
7.1. GET JWT token
Method | URI | Body/Headers | Desc |
---|---|---|---|
POST | /appmesh/login | Username=base64(uname) Password=base64(passwd) Optional: Expire-Seconds=600 Totp=base64(TOTP_KEY) |
User login, return JWT token or require next TOTP validate |
POST | /appmesh/totp/validate | Totp=base64(TOTP_KEY) | Validate TOTP key, return JWT token |
curl -X POST -k -s -H "Username:$(echo -n user | base64)" -H "Password:$(echo -n Password | base64)" -H "Expire-Seconds:2" https://localhost:6060/appmesh/login | python -m json.tool
The REST will response bellow json when authentication success:
{
"Access-Token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDU5MjA1NjQsImlhdCI6MTYwNTMxNTc2NCwiaXNzIjoiYXBwbWVzaC1hdXRoMCIsIm5hbWUiOiJhZG1pbiJ9.hPOGoU5cl8TexQKyUnKpSi4r9Hy0Vhi03A-mCyQfpXw",
"expire_seconds": 604800,
"expire_time": 1605920564,
"profile": {
"auth_time": 1605315764,
"name": "admin"
},
"token_type": "Bearer"
}
response | desc |
---|---|
Access-Token | JWT token content |
expire_time | UTC time (seconds) the token will expire, is the server time plus the input Expire-Seconds |
auth_time | the server UTC time (seconds) |
token_type | JWT standard "Bearer" |
7.2. Use JWT token for REST request
Method | URI | Body/Headers | Desc |
---|---|---|---|
POST | /appmesh/auth | headers: Authorization=Bearer Optional: Auth-Permission=permission-id |
JWT token authenticate |
curl -s -X POST -k -H "Authorization:Bearer $JWT_TOKEN" -H "Auth-Permission:app-view" https://127.0.0.1:6060/appmesh/auth | python -m json.tool
The REST will response bellow json when authentication success:
{
"permission": "app-view",
"success": true,
"user": "mesh"
}