Authentication

This section provides information about authentication, signing in, and signing out when using the OpenText Core Software Delivery Platform REST API and OData.

Overview

You can sign in using the following methods.

Sign-in method Used for Description
JSON authentication with user credentials or API access keys

REST API

Use the sign_in resource to authenticate using user credentials or API access keys. For details, see JSON authentication.

Basic authentication
  • REST API

  • OData

To use basic authentication, enable basic authentication and send a header with user credentials or API access keys for each request.

For details, see Basic authentication.

Interactive tools authentication

Interactive integrations and flows

Through an API call, interactive tools receive a unique ID from OpenText Core Software Delivery Platform. The tool's end users are prompted to perform a manual authentication to OpenText Core Software Delivery Platform using a browser. The interactive tool polls OpenText Core Software Delivery Platform with the unique ID and the end user's username to acquire the access token. For details, see Interactive token sharing authentication.

For non-interactive tools, use JSON authentication with API keys.

Back to top

Restricted REST API access

You can configure your site and spaces to require API key authorization for direct REST API access.

If you are authenticated as a regular user, as opposed to an API key, REST API requests will be rejected.

To set up restricted REST API access:

  1. Set the following parameter at the space or site level: RESTRICT_REST_API_TO_API_KEYS_ONLY.

  2. The OpenText Core Software Delivery Platform interface and other standard UI clients, such as QoT, are excluded from the restricted access and will continue allowing user authentication access even if the above parameter is activated. To change how the other UI clients can be accessed, configure the following site/space parameter: CLIENT_TYPES_ALLOWED_TO_ACCESS_REST_API.

For details on working with parameters, see Configuration parameters.

Back to top

JSON authentication

JSON authentication uses the sign_in resource.

This resource sets the authentication cookies required for future requests.

Area Description
Content-Type header application/json
URI http[s]://<server>:<port>/authentication/sign_in
Supported HTTP methods POST
Payload for user credentials

Provide a JSON object with the credentials.

Use this type of payload to work with the API as the site admin.

{ 
     "user": "<username>", 
     "password": "<password>" 
}
Payload for API keys
{ 
     "client_id": "<client_id>", 
     "client_secret": "<client_secret>" 
}
Cookie

Upon successful authentication, the LWSSO_COOKIE_KEY cookie is set in the response.

Status code

  • 200 - Successful authentication
  • 401 (Unauthorized) - Failed authentication

Back to top

Basic authentication

Basic authentication can be used for the REST API and OData.

You cannot use basic authentication to access the OpenText Core Software Delivery Platform client.

The basic authentication result is cached for 2 minutes. Subsequent requests are then validated against the cache. The cache period is configurable by the BASIC_AUTHENTICATION_CACHE_TTL_SECONDS site parameter.

Area Description
Prerequisites

Activate basic authentication.

Request that the site admin or space admin set the value of the SUPPORTS_BASIC_AUTHENTICATION configuration parameter for each space. For details, see Configuration parameters.

Caution: Basic authentication is not secure. Turning this parameter on reduces the security level of your data.

Note: Admins can set the parameter using a REST API request. For details, see Activate basic authentication through API.

Header
  • According to the Basic Authentication specification, send the Authorization header with each request, to ensure that each request is authenticated.

    The Authorization header contains a token, based on the encoding of the user name and password, separated by a colon (:), as an octet sequence. This octet sequence is then encoded as Base64.

    Example: Authorization: Basic <token>

  • To enhance performance when using basic authentication, send the LWSSO_COOKIE_KEY cookie.The LWSSO_COOKIE_KEY cookie is sent in the response to each successful authentication. For details, see LWSSO_COOKIE_KEY cookie.

Cookie

Upon successful authentication, the LWSSO_COOKIE_KEY cookie is set in the response. Although the cookie is returned, you are not required to use it.

Status code

  • 200 - Successful authentication
  • 401 (Unauthorized) - Failed authentication

Back to top

Activate basic authentication through API

Admins can activate basic authentication by setting a parameter through a REST API request.

For a site admin:

The site admin can activate basic authentication for a specific space using the SUPPORTS_BASIC_AUTHENTICATION parameter.

The ID for the space for which you are enabling basic authentication is specified using sharedspace_id.

POST .../admin/context_parameters/
{
  "data": [
    {
      "name": "SUPPORTS_BASIC_AUTHENTICATION",
      "sharedspace_id": 2001,
      "value": "true"
    }
  ]
}

For a space admin:

The space admin can also activate basic authentication for a specific space using the parameter Authentication, with the following syntax:

PUT  .../api/shared_spaces/<space_id>/params/SUPPORTS_BASIC_AUTHENTICATION
{
    "value":"true"
}

Back to top

Interactive token sharing authentication

Use the tokens API for interactive token sharing authentication. This is especially useful for accessing OpenText Core Software Delivery Platform with an on-premises SSO login or SaaS federation from interactive tools such as Intelij.

Token sharing authentication uses two REST calls and a user-interactive authentication.

  • Step 1 - Generate an identifier. The integrated tool submits a REST call to generate an identifier and authentication URL.

  • Step 2 - Perform a browser authentication. The end user enters the authentication URL in a browser and performs a regular authentication, after which the browser can be closed.

  • Step 3 - Extract the token. The integrated tool polls OpenText Core Software Delivery Platform using a second REST call to extract the token received in the authentication process (step 2). The integrated tool uses the token to access OpenText Core Software Delivery Platform.

Step 1 - Generate an identifier

The integrated tool sends a request with the following content:

Area API details
Content-Type header application/json
Request URI http[s]://<server>:<port>/authentication/tokens
HTTP method POST
Response Body

Receive a unique identifier and URL for a browser login.

{ 
     "id": "<identifier>", 
     "authentication_url": "<url>" 
}
Status code 200 for successfully creating the identifier.

Note: If the authentication_url in the response points to the incorrect host, validate the SERVER_BASE_URL site parameter.

Step 2 - Perform a browser authentication

This end user uses the URL obtained above to log in through a browser.

Area API details
URL http[s]://<server>:<port>/authentication/store_tool_token?TENANTID=1&id=<id>

 

Open a browser, using the above URL that you received as a response in Step 1. The browser prompts you to enter your credentials. After authentication, the browser will issue a message indicating that you may close the browser.

Step 3 - Extract the token

The integrated tool polls OpenText Core Software Delivery Platform with a second REST request. This request extracts the token received in the browser authentication, using the following content:

For id use the identifier value received as a response in Step 1.

For user name, provide the same user name that you used while authenticating in the browser in Step 2. In case of SSO authentication, provide the the same user name that was sent in the SAML assertion from the IDP. The use of the same user name is essential for maintaining a secure environment.

Note: By default the user name is case sensitive. To change to insensitive, set the site parameter CASE_INSENSITIVE_USER_NAME_IN_INTERACTIVE_AUTHENTICATION to true.

Area API details
Content-Type header application/json
Request URI http[s]://<server>:<port>/authentication/tokens/<id>?userName=<user name>

 

HTTP method GET
Response body

A successful response returns 200 and the following body. This is the same id value received as a response in Step 1. You use this access_token to access OpenText Core Software Delivery Platform.

{ 
  "access_token": "<access token>", 
  "id": "<id>", 
  "cookie_name": "<cookie name>" 
} 
  • access_token – The token required for authentication. Place the <access token> value in the cookie named <cookie name> and add it to all future requests.
  • id- The interactive tool identifier.
  • cookie_name - The name of the cookie storing the token value for requests to OpenText Core Software Delivery Platform.
For example:
{ 
  "access_token": "THIgSzVsGHJ9p3YeG33...Le8U0VeF3T6DxPbv-9DAzU_RjPg..", 
  "id": "123456", 
  "cookie_name": "LWSSO_COOKIE_KEY" 
} 
Status code

200 for successfully creating the access token.

404 for a failure in creating the token for one of the following reasons:

  • The user interactive authentication from Step 2 has not completed yet.
  • The id submitted is wrong or no longer valid (see comment below table).
  • The user name submitted did not match the one used by the user in Step 2.

Note: The access token is stored in OpenText Core Software Delivery Platform until it is retrieved by a tool. If it is not retrieved within 3 minutes (180 seconds), the ID will timeout and be deleted together with the associated token. To change the timeout, modify the value of the site parameter, TOOLS_ ACCESS_TOKEN_STORAGE_TTL_SECONDS, and perform a restart.

Back to top

Authentication cookies

Authentication cookies are used for storing the authentication tokens. 

LWSSO_COOKIE_KEY cookie

Upon successful authentication, the LWSSO_COOKIE_KEY cookie is set in the response.

Send this cookie with each subsequent request.

The timeout of the cookie is 3 hours.

Refreshing the LWSSO_COOKIE_KEY cookie

After the 3-hour timeout period has passed, you can extend the timeout by resending the cookie. To resend a cookie, you send back all cookies you received from the server in the preceding response using the "Set-Cookie" header. For details, see Resend cookies.

You can keep extending the timeout for 24 hours after original authentication, if always using the resent cookie received from the server.

After 24 hours, the cookie expires, and 401 errors are issued in response to requests. In this case, re-authenticate to continue.

Back to top

sign_out

The sign_out resource logs the user off the session and cancels (expires) the authentication cookies.

This resource can be used for all authentication methods.

Area API details
URI

/authentication/sign_out

Supported HTTP methods POST
Copy code
Example:
POST http[s]://<server>:<port>/authentication/sign_out
HTTP/1.1 200 OK
Set-Cookie: LWSSO_COOKIE_KEY="";Version=1;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, max-age=0 Pragma: no-cache
Content-Length: 0
Server: Jetty(9.1.3.v20140225)

Back to top

See also: