User authentication is carried out on the API Server for each API project.
Running an API method requires prior authentication on an API project. If the API method is marked as AllowUnauthenticated, authentication is not required (you can find an example in the SDK)
Authentication has two steps:
-
Required primary authentication: Default authentication through an authentication module
-
Optional secondary authentication: Multi-factor authentication (by OneLogin)
For more information about configuring authentication, see the One Identity Manager Web Application Configuration Guide.
Detailed information about this topic
Related topics
You can use the imx/login/<API project name> API method for primary authentication on the API project.
To do this, use the POST HTTP method to send a query containing the following:
{ "Module": "RoleBasedPerson", "User": "<user name>", "Password": "<password>" }
TIP: See the SDK for examples.
Security mechanisms
The API Server uses a security mechanism to prevent cross-site request forgery (XSRF) attacks. This randomly generates a token (XSRF-TOKEN) and sends it to the client in a cookie at login. The client must then transmit the value of this token in an HTTP header (X-XSRF-TOKEN) in each request sent to the server. If this header is missing, the request is terminated with error code 400.
TIP: You can change the name of the cookie and HTTP header in the Administration Portal.
You can use the imx/logout/<API project name> API method to log out of the API project.
To do this, use the POST HTTP method to send a query without content.
The status a session is saved in a cookie. This cookie contains an encrypted security token which is used to restore a login to the API Server if the API Server was restarted in the mean time. The security token is cryptographically signed by the certificate selected on installation.
NOTE: If the API Server's current user restarts the browser, the cookie and its session information are reset.
Related topics
