Auth
The Auth “Resource”¶
This resource has many faces, and is more of a accumulation of multiple auth-related resources.
Entry Point¶
When accessing the Entry Point, the following resource is returned containing links to available sub resources.
Relations¶
| Relation | Description | Methods | Templated |
|---|---|---|---|
| self | The Entry Point itself. | GET | No. |
| curies | CURIE links. | GET | Yes. |
| ec:accounts | Collection of accounts. Only included for privileged users. | GET | No. |
| ec:account | The single account of the logged in user. | GET | No. |
| ec:auth/register | Used to register a new account using credentials. | POST | Yes. Requires clientID and invite (if activated). |
| ec:invites | List of available invites | GET, POST | No. |
| ec:auth/login | Used to login using credentials | POST | Yes. Requires clientID. |
| ec:auth/logout | Used to logout a logged in user | GET, POST | Yes. Optionally, the token can be sent as Query String. |
| ec:auth/password-reset | Used to send an email in case a user forgot her credentials | GET | Yes. Requires eMail and clientID |
| ec:auth/email-available | Used to determine if an email address is still available for registration. | GET | Yes. Requires the eMail address to check. |
| ec:auth/facebook | Used to login and/or register using Facebook | POST | Yes. Requires clientID and invite (if activated and not registered yet). |
| ec:auth/google | Used to login and/or register using Google | POST | Yes. Requires clientID and invite (if activated and not registered yet). |
| ec:auth/public-key | Returns the Server public key as pem file for checking signed tokens. | GET | No. |
Authentication¶
The authentication relations (ec:auth/register, ec:auth/login, ec:auth/facebook and ec:auth/google) work different than the rest of the API. Because of OAuth authentication flow, they don't act RESTfully in the sense that they return a JSON document: instead they redirect the user agent back to the client after successful (or failing) authentication. For that matter, a valid clientID has to be sent with each request. Only valid (registered) clients can send these requests, because the callback URL the user agent gets redirected back to has to be known on the server. An access token is appended to the callback URL on redirection, or optionally sent as cookie. These requests are not designed to be used via AJAX, but plain browser HTTP (links/forms).
If errors occur, a readable error code gets appended to the callback URL.
Signup¶
Input¶
To complete the registration process, the following has to be sent in a POST Request using application/x-www-form-urlencoded (default HTML form):
| Input field | Description |
|---|---|
| eMail address this account should be linked to. SHOULD be proven for availability before (using ec:auth/email-available) | |
| password | desired password for this account. Has to be at least 4 characters long. |
| invite | (optional) invite token. Registrations may be declined without an invite token. |
Login¶
Input¶
To log in a user using user credentials, the following has to be sent in a POST Request using application/x-www-form-urlencoded (default HTML form):
| Input field | Description |
|---|---|
| eMail address of the desired account | |
| password | password for this account |
For debugging (e.g. in Postman), this relation can also be sent in a JSON body. The result token is then also sent back directly, without redirects.
Google/Facebook Login¶
Input¶
To login and optionally register using a Google or Facebook account, follow this relation (simple GET). Note that the clientID query string parameter is still needed, as well as an invite (here also sent as query string parameter) if configured. The user will redirected to the auth provider for credentials.
API Token (anonymous user)¶
An API Token (=Anonymous user) can only login once, on registration, and gets a JWT that is valid almost indefinitely long (about 100 Years). To obtain it, simple send an empty POST to the ec:account/create-anonymous resource. The response is the default authentication response, similar to after a regular signup.
Logout¶
Log out a user. The used access token's validUntil timestamp will be altered to now, which makes it unusable for further actions. This only affects this one access token – if the account is still logged in at another device, this is unaffected by the logout operation.
Variant A: GET
A plain GET request, usable for Hyperlinking, with the access token to invalidate attached as query string value for token.
Variant B: POST
POST request with Bearer authentication. The used token will be invalidated.
Both requests also require a valid clientID. The user agent will get redirected back to the registered callback URL.
Password Reset¶
Send the user an email with links to reset the password.
GET the ec:auth/password-reset with email and clientID template parameters to trigger the password reset. The user agent will get an HTML rendered message for confirmation.
The account owner will get an email with two links: for aborting and for setting the new password. Both render an HTML site. After successful resetting the password, the user will be taken back to the origin client with an login response (just as if he successfully authenticated in the first place).
Change eMail address¶
An eMail address change is only possible through validation (i.e. opening a link sent to the address).
Input¶
The following has to be sent in a POST Request:
| Input field | Description |
|---|---|
| new eMail address of the account |
Output¶
- 200 ok
The response is a HTML page telling the user that an email to the new address has been sent. The change will only be permanent after the link has been opened. There will also be a link sent to the old email address. By clicking that link, the link for the new address becomes invalid. If the change has already been approved, it will be changed back to the old address.
Authentication Response¶
- 302 Found
The user agent is always redirected back to the client, using the registered callbackURL.
If the user has registered successfully, she is automatically logged in. However, the account state is inactive until the eMail address is validated (only register).
The access Token (as signed JSON Web Token) is appended to the callbackURL's query string as token value.
Clients may decode them using a JWT library to get the containing information: email, jti (Token ID), iat (Timestamp issued), exp (Timestamp of expiration), iss (entrecode), and sub (Account ID).
To get further account information, clients can authenticate with this token at the entry point resource and follow the then contained ec:account relation to their account information.
If an Error occured, an error code is appended to the callbackURL's query string as error value.
These errors are no full JSON errors as the rest of the API use, but plain strings:
Auth Errors¶
| Error code | Description |
|---|---|
account_blocked |
The account is blocked, the user cannot login |
account_not_found |
No account found for this email address |
auth_error |
Generic auth error (probably server-side) |
clientID_not_found |
clientID not found in client registry |
db_error |
Generic db error (server-side) |
email_unavailable |
An account with this email address already exists |
invalid_email |
No valid email address |
invalid_invite |
No valid invite code (UUIDv4) |
missing_clientID |
clientID is missing |
missing_credentials |
email and/or password fields are missing |
password_too_short |
The password is too short, must be at least 4 characters long |
session_not_found |
Internal error (session could not be re-established after external OAuth process) |
token_not_found |
The access token could not be found |
too_many_login_attempts |
Too many login attempts, please wait. |
wrong_password |
Wrong password entered on login. Additionally, a lockUntil parameter is appended to the callback URL, containing a timestamp until the login is blocked. |
missing_clientID and clientID_not_found are not appended to a registered callback URL but instead the user is redirected back to the HTTP Referer with those codes appended. If no Referer field is set, it triggers HTTP 400 (when missing_clientID) or HTTP 404 (when clientID_not_found).
Connecting accounts / login methods¶
To connect an Facebook or Google account to an existing account (no matter how it got created), or to set a password to an existing account, the above relations for registration, google and facebook can be used. If a valid access token is sent (either via HTTP Authorization header as Bearer token, or as query parameter token) with those requests, the server will try to connect the new login method with the existing account.
Public Key¶
The ec:public-key relation returns the Public RSA Key of the Server in PEM format for validation of the token signature.
email-available¶
Input¶
This Resource allows verification if an eMail address is still available for registration. The following has to be sent in a GET (!) Request:
| Input field | Description |
|---|---|
| eMail address of the account |
Output¶
- 200 ok
| Field | Description |
|---|---|
| eMail address that was checked | |
| available | true or false |