How Clients Authenticate
Clients can authenticate passing credentials via the different authentication schemes handled by restheart-security. This section shows how clients can authenticate using the simple basic authentication, a standard method for an HTTP user agent to provide a username and password when making a request.
With httpie use the
$ http -a userid:password GET 127.0.0.1:8080/
With curl, use the
$ curl -i --user userid:password -X GET 127.0.0.1:8080/
Basic Authentication for dummies
Basic Authentication requires the client to send its credentials with the Authorization request header.
The value of the Authorization request header must be: Basic base64(<userid> + ':' + <password>)
In other words:
userid and password are combined into a string "userid:password". Note the colon between userid and password (userid cannot contain the ":" character).
The resulting string is base 64 encoded
The string "Basic " (note the space) is then put before the encoded string.
RESTHeart default configuration includes the tokenBasicAuthMechanism and the rndTokenManager.
With those plugins enabled, when a request is successfully authenticated, an auth token is generated by the Token Manager and included in every subsequent responses.
the tokenBasicAuthMechanism allows to authenticate the client using the auth token; the auth token is used as a temporary password in the basic authentication scheme. This means that the Authorization request header can either be calculated from the the Auth-Token itself:
Authorization: Basic base64(<userid> + ':' + <password>) or Authorization: Basic base64(<userid> + ':' + <auth-token>)
Auth token information are passed in the following response headers:
|the URI in the Auth-Token-Location header: the client can issue a GET request to obtain information about token or a DELETE request to invalidate it. Of course clients can only request their own tokens (otherwise response code will be 403 Forbidden).
|The Authentication Token is a very important feature when you are developing a web application. Since every request needs to include the credentials, you need to store them either in a cookie or (better) in the session storage. The sign-in form can check the credentials using the actual password; if it succeeds, the auth token can be stored and used.
|Pay attention to the authentication token in case of multi-node deployments (horizontal scalability). In this case, you need to either disable it or use a load balancer with the sticky session option or a different Token Manager implementation.
rndTokenManager can be configured as follows (note option
TTL the auth token Time To Live in minutes):
Suggested way to check credentials
The default restheart configuration file sets up the useful service roles, bound to
The possible response codes of the request GET
401 Unauthorized missing or wrong credentials
403 Forbidden the userid in the URL does not match the one in the Authorization header
200 OK credentials match; the following response document is sent back:
Of course, if the request succeeds, the client gets back the auth token as well.
|It is easy to check the user credentials from a login form with this handler: in case the client gets back 200, they match and the auth token can be stored for further request; otherwise passed credentials are wrong.
How to avoid the basic authentication popup in browsers
With basic authentication, browsers can show a awful login popup window and this is not what you usually want.
What happens behind the scene, is that the server sends
WWW-Authenticate response header that actually leads to it.
You can avoid RESTHeart to actually send this header avoiding the popup
login window altogether, either specifying
No-Auth-Challenge request header or using
noauthchallenge query parameter. In this case, RESTHeart will just
respond with 401 Unauthorized in case of missing or wrong
|This feature together with the authentication token, allows you to implement a form based authentication experience on top of the simple and effective basic authentication mechanism.
|Watch An application example (blog)