github/directus
1
0
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-01-29 09:48:00 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
bf2b7e8d018372ad450dce8a280b70574b82f990
directus/docs/reference/api/system/authentication.md
Aiden Foxx fa3b1171e8 New OpenID and OAuth2 drivers (#8660) 
* Moved over oauth impl to new interface

* Fixed most build issues and started addind schema to auth drivers

* Finished up OAuth2 and OpenID drivers

* Removed unused migration and utils

* Fixed minor todos

* Removed old oauth flow

* Changed oauth flow to re-use refresh token

* Added new oauth frontend

* Added font awesome social icons

* Updated authentication documentation

* Update api/src/auth/drivers/oauth2.ts

* Tested implementation and fixed incorrect validation

* Updated docs

* Improved OAuth error handling and re-enabled creating users with provider/identifier

* Removed Session config from docs

* Update app/src/components/v-icon/v-icon.vue

* Removed oauth need to define default roleID

* Added FormatTitle to SSO links

* Prevent local auth without password

* Store OAuth access token in session data

* Update docs/guides/api-config.md

* Fixed copy and removed fontawesome-vue dependency

* More docs fixes

* Crucialy importend type fiks

* Update package-lock

* Remove is-email-allowed check

In favor of more advanced version based on filtering coming later

* Fix JSON type casting

* Delete unused util

* Update type signature to include name

* Add warning when code isn't found in oauth url

and remove obsolete imports

* Auto-continue on successful SSO login

* Tweak type signature

* More type casting shenanigans

* Please the TS gods

* Check for missing token before crashing

Co-authored-by: rijkvanzanten <rijkvanzanten@me.com>
2021-10-21 17:45:01 -04:00

408 lines
5.9 KiB
Markdown
Raw Blame History

---
pageClass: page-reference
---
# Authentication
<div class="two-up">
<div class="left">
> By default, all data in the system is off limits for unauthenticated users. To gain access to protected data, you must
> include an access token with every request, or
> [configure permissions for the public role](/guides/roles-and-permissions).
</div>
<div class="right">
[[toc]]
</div>
</div>
---
## Login
Retrieve a temporary access token and refresh token.
<div class="two-up">
<div class="left">
### Request Body
<div class="definitions">
`email` **Required**\
Email address of the user you're retrieving the access token for.
`password` **Required**\
Password of the user.
`otp`\
The user's one-time-password (if MFA is enabled).
`mode`\
Whether to retrieve the refresh token in the JSON response, or in a `httpOnly` `secure` cookie. One of `json`, `cookie`.
Defaults to `json`.
</div>
### Response Attributes
<div class="definitions">
`access_token` **string**\
Temporary access token to be used in follow-up requests.
`expires` **integer**\
How long before the access token will expire. Value is in milliseconds.
`refresh_token` **string**\
The token that can be used to retrieve a new access token through [`/auth/refresh`](#refresh). Note: if you used `cookie`
as the mode in the request, the refresh token won't be returned in the JSON.
</div>
::: tip Expiry time
The token's expiration time can be configured through
[the `ACCESS_TOKEN_TTL` environment variable](/reference/environment-variables).
:::
</div>
<div class="right">
### REST API
```
POST /auth/login
```
```
POST /auth/login/:provider
```
```json
{
"email": "admin@example.com",
"password": "d1r3ct5us"
}
```
### GraphQL
```
POST /graphql/system
```
```graphql
mutation {
auth_login(email: "admin@example.com", password: "d1r3ctu5") {
access_token
refresh_token
}
}
```
</div>
</div>
---
## Refresh
Retrieve a new access token using a refresh token.
<div class="two-up">
<div class="left">
### Request Body
<div class="definitions">
`refresh_token`\
The refresh token to use. If you have the refresh token in a cookie through [`/auth/login`](#login), you don't have to submit
it here.
</div>
### Response Attributes
<div class="definitions">
`access_token` **string**\
Temporary access token to be used in follow-up requests.
`expires` **integer**\
How long before the access token will expire. Value is in milliseconds.
`refresh_token` **string**\
The token that can be used to retrieve a new access token through [`/auth/refresh`](#refresh). Note: if you used `cookie`
as the mode in the request, the refresh token won't be returned in the JSON.
</div>
</div>
<div class="right">
### REST API
```
POST /auth/refresh
```
```json
{
"refresh_token": "gmPd...8wuB"
}
```
### GraphQL
```
POST /graphql/system
```
```graphql
mutation {
auth_refresh(refresh_token: "abc...def") {
access_token
refresh_token
}
}
```
</div>
</div>
---
## Logout
Invalidate the refresh token thus destroying the user's session.
<div class="two-up">
<div class="left">
### Request Body
<div class="definitions">
`refresh_token`\
The refresh token to invalidate. If you have the refresh token in a cookie through [`/auth/login`](#login), you don't have
to submit it here.
</div>
</div>
<div class="right">
### REST API
```
POST /auth/logout
```
```json
{
"refresh_token": "gmPd...8wuB"
}
```
### GraphQL
```
POST /graphql/system
```
```graphql
mutation {
auth_logout(refresh_token: "gmPd...8wuB")
}
```
</div>
</div>
---
## Request Password Reset
Request a password reset email to be sent to the given user.
<div class="two-up">
<div class="left">
### Request Body
<div class="definitions">
`email` **Required**\
Email address of the user you're requesting a password reset for.
`reset_url`\
Provide a custom reset url which the link in the email will lead to. The reset token will be passed as a parameter.\
**Note**: You need to configure the
[`PASSWORD_RESET_URL_ALLOW_LIST` environment variable](/reference/environment-variables/#security) to enable this
feature.
</div>
</div>
<div class="right">
### REST API
```
POST /auth/password/request
```
```json
{
"email": "admin@example.com"
}
```
### GraphQL
```
POST /graphql/system
```
```graphql
mutation {
auth_password_request(email: "admin@example.com")
}
```
</div>
</div>
---
## Reset a Password
The request a password reset endpoint sends an email with a link to the admin app (or a custom route) which in turn uses
this endpoint to allow the user to reset their password.
<div class="two-up">
<div class="left">
### Request Body
<div class="definitions">
`token` **Required**\
Password reset token, as provided in the email sent by the request endpoint.
`password` **Required**\
New password for the user.
</div>
</div>
<div class="right">
### REST API
```
POST /auth/password/reset
```
```json
{
"token": "eyJh...KmUk",
"password": "d1r3ctu5"
}
```
### GraphQL
```
POST /graphql/system
```
```graphql
mutation {
auth_password_reset(token: "eyJh...KmUk", password: "d1r3ctu5")
}
```
</div>
</div>
---
## List Auth Providers
List all the configured auth providers.
<div class="two-up">
<div class="left">
::: tip Configuring auth providers
To learn more about setting up auth providers, see [Configuring auth providers](/guides/api-config/#auth).
:::
### Response Attributes
<div class="definitions">
`data` **Array**\
Array of configured auth providers.
</div>
</div>
<div class="right">
```
GET /auth
```
```json
{
"data": [
{
"name": "GitHub",
"driver": "oauth2",
"icon": "github"
},
{
"name": "Google",
"driver": "openid",
"icon": "google"
},
{
"name": "Okta",
"driver": "openid"
}
]
}
```
</div>
</div>
---
## Login Using SSO Providers
Will redirect to the configured SSO provider for the user to login.
<div class="two-up">
<div class="right">
```
GET /auth/login/:provider
```
</div>
</div>
---
Reference in New Issue View Git Blame Copy Permalink