fa3b1171e8
* Moved over oauth impl to new interface * Fixed most build issues and started addind schema to auth drivers * Finished up OAuth2 and OpenID drivers * Removed unused migration and utils * Fixed minor todos * Removed old oauth flow * Changed oauth flow to re-use refresh token * Added new oauth frontend * Added font awesome social icons * Updated authentication documentation * Update api/src/auth/drivers/oauth2.ts * Tested implementation and fixed incorrect validation * Updated docs * Improved OAuth error handling and re-enabled creating users with provider/identifier * Removed Session config from docs * Update app/src/components/v-icon/v-icon.vue * Removed oauth need to define default roleID * Added FormatTitle to SSO links * Prevent local auth without password * Store OAuth access token in session data * Update docs/guides/api-config.md * Fixed copy and removed fontawesome-vue dependency * More docs fixes * Crucialy importend type fiks * Update package-lock * Remove is-email-allowed check In favor of more advanced version based on filtering coming later * Fix JSON type casting * Delete unused util * Update type signature to include name * Add warning when code isn't found in oauth url and remove obsolete imports * Auto-continue on successful SSO login * Tweak type signature * More type casting shenanigans * Please the TS gods * Check for missing token before crashing Co-authored-by: rijkvanzanten <rijkvanzanten@me.com>
5.9 KiB
pageClass
| pageClass |
|---|
| page-reference |
Authentication
By default, all data in the system is off limits for unauthenticated users. To gain access to protected data, you must include an access token with every request, or configure permissions for the public role.
Login
Retrieve a temporary access token and refresh token.
Request Body
email Required
Email address of the user you're retrieving the access token for.
password Required
Password of the user.
otp
The user's one-time-password (if MFA is enabled).
mode
Whether to retrieve the refresh token in the JSON response, or in a httpOnly secure cookie. One of json, cookie.
Defaults to json.
Response Attributes
access_token string
Temporary access token to be used in follow-up requests.
expires integer
How long before the access token will expire. Value is in milliseconds.
refresh_token string
The token that can be used to retrieve a new access token through /auth/refresh. Note: if you used cookie
as the mode in the request, the refresh token won't be returned in the JSON.
::: tip Expiry time
The token's expiration time can be configured through
the ACCESS_TOKEN_TTL environment variable.
:::
REST API
POST /auth/login
POST /auth/login/:provider
{
"email": "admin@example.com",
"password": "d1r3ct5us"
}
GraphQL
POST /graphql/system
mutation {
auth_login(email: "admin@example.com", password: "d1r3ctu5") {
access_token
refresh_token
}
}
Refresh
Retrieve a new access token using a refresh token.
Request Body
refresh_token
The refresh token to use. If you have the refresh token in a cookie through /auth/login, you don't have to submit
it here.
Response Attributes
access_token string
Temporary access token to be used in follow-up requests.
expires integer
How long before the access token will expire. Value is in milliseconds.
refresh_token string
The token that can be used to retrieve a new access token through /auth/refresh. Note: if you used cookie
as the mode in the request, the refresh token won't be returned in the JSON.
REST API
POST /auth/refresh
{
"refresh_token": "gmPd...8wuB"
}
GraphQL
POST /graphql/system
mutation {
auth_refresh(refresh_token: "abc...def") {
access_token
refresh_token
}
}
Logout
Invalidate the refresh token thus destroying the user's session.
Request Body
refresh_token
The refresh token to invalidate. If you have the refresh token in a cookie through /auth/login, you don't have
to submit it here.
REST API
POST /auth/logout
{
"refresh_token": "gmPd...8wuB"
}
GraphQL
POST /graphql/system
mutation {
auth_logout(refresh_token: "gmPd...8wuB")
}
Request Password Reset
Request a password reset email to be sent to the given user.
Request Body
email Required
Email address of the user you're requesting a password reset for.
reset_url
Provide a custom reset url which the link in the email will lead to. The reset token will be passed as a parameter.
Note: You need to configure the
PASSWORD_RESET_URL_ALLOW_LIST environment variable to enable this
feature.
REST API
POST /auth/password/request
{
"email": "admin@example.com"
}
GraphQL
POST /graphql/system
mutation {
auth_password_request(email: "admin@example.com")
}
Reset a Password
The request a password reset endpoint sends an email with a link to the admin app (or a custom route) which in turn uses this endpoint to allow the user to reset their password.
Request Body
token Required
Password reset token, as provided in the email sent by the request endpoint.
password Required
New password for the user.
REST API
POST /auth/password/reset
{
"token": "eyJh...KmUk",
"password": "d1r3ctu5"
}
GraphQL
POST /graphql/system
mutation {
auth_password_reset(token: "eyJh...KmUk", password: "d1r3ctu5")
}
List Auth Providers
List all the configured auth providers.
::: tip Configuring auth providers
To learn more about setting up auth providers, see Configuring auth providers.
:::
Response Attributes
data Array
Array of configured auth providers.
GET /auth
{
"data": [
{
"name": "GitHub",
"driver": "oauth2",
"icon": "github"
},
{
"name": "Google",
"driver": "openid",
"icon": "google"
},
{
"name": "Okta",
"driver": "openid"
}
]
}
Login Using SSO Providers
Will redirect to the configured SSO provider for the user to login.
GET /auth/login/:provider