Authentication Data API¶
Authentication Data API provides REST services that are used to retrieve endpoint parameters provided by the authentication framework or related services.
These parameters may not be passed in the redirect URL due to one or many of the following reasons.
- Sensitivity of the values passed.
- Complexity of the values passed.
- Length of the parameters exceeding, or has the possibility of exceeding the allowed limits.
- Compliance to certain business policies.
Configuring Authentication Data API¶
To make these parameters available via the Authentication Data API, we need to configure the Identity Server as follows.
-
Configure the following parameters in the
deployment.toml
file in<IS_HOME>/repository/conf
as per the descriptions provided below.[authentication.endpoint.redirect_params] filter_policy = "include" remove_on_consume_from_api = "true" parameters = ["sessionDataKey"]
Field Name Description filter_policy Value is either include or exclude. An include indicates an allowlist value, whereas an exclude indicates a denylist value. remove_on_consume_from_api The decides whether to remove the parameters on a read. If set to true, parameters are deleted upon read and won’t be available for subsequent API requests, unless they are repopulated at the backend. parameters The list of parameters to be allowlisted/denylisted. The name attribute is used to specify the parameter name. sessionDataKey This is an identifier used by the Identity Server to maintain state information related to this particular request by the service provider.
Note
The 'sessionDataKey' query parameter is used to coordinate the request state across components participating in the request flow. It does not correlate with the user session. Furthermore, the request state maintained against the 'sessionDataKey' parameter value is cleared by each participating component at the end of request flow. This means that even if an external party grabs the 'sessionDataKey' they will not be able to get into the authentication sequence, as the user session is not associated with that key.
-
Restart the server.
Using the API¶
The data can be accessible at
https://<IS_HOST>:<PORT>/api/identity/auth/v1.1/data/<Type>/<Key>.
- <Type> - This refers to the key type that should be used. The
value is AuthRequestKey for pages which directly communicate
with the authentication framework using
sessionDataKey,
and OauthConsentKey for the Oauth consent page which usessessionDataKeyConsent
as the correlation key. - <Key> - The correlation key whose value is either sessionDataKey or sessionDataKeyConsent.
Authenticating the API¶
This API can be authenticated by following the steps given here.
Following are the sample requests and responses using cURL.
Request-1
curl -k -X GET "https://localhost:9443/api/identity/auth/v1.1/data/AuthRequestKey/7a6886ab -b02f-424f-9cd4-adf5e92f0798" -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "accept: application/json"
Response-1
{"paramKey1": "paramValue1","paramKey2": "paramValue2"}
Request-2
curl -k -X GET "https://localhost:9443/api/identity/auth/v1.1/data/OauthConsentKey/7a6886a b-b02f-424f-9cd4-adf5e92f0798" -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "accept: application/json"
Response-2
{"paramKey1":"paramValue1","paramKey2":"paramValue2"}
Top