Login methods

This part of documents describes available login methods.

1. Standard login

Lorem ipsum

2. Access tokens

Access tokens allows login for automated scripts that cannot perform full authentication.

2.1. Login with tokens

Login with token is quite similar to any other login method with Authorization header. Using your preferred client (like curl) add additional request header Authorization with value Token <generatedAccessToken>. Server will authenticate this request and allow to get resources or perform actions.

Login with access token is considered to be stateless, so it need to be provided with each request aka no session will be created. Also, it means that request authenticated with access tokens do not require CSRF token to be included in request for rest calls.

Access tokens are defined with list of roles/permissions. If token is defined with lesser permissions than required ones, then access to REST endpoint will be denied. For example: if token is created without ROLE_ADMIN then it will be impossible to perform administrative actions with token, even if user who created token is administrator.
Anyone who have access token can perform action as user/app. Do not share tokens with anyone, and always store them safely. Also, consider using minimal required roles/permission for tokens.

2.2. Creating tokens

REST API

REST API for token creation is available via endpoint {baseUrl}/rest/pat/1.0/token/user/create (or {baseUrl}/rest/pat/1.0/token/app/create). It takes simple JSON with token creation request data and generates new token.

Example request looks like:

{
  "name": "Token name",
  "expiration": "2022-12-27T15:53:47.028Z",
  "authorities": [
    "ROLE_USER"
  ]
}

It will generate token with specified parameters and will return response similar to:

{
  "name": "Token name",
  "expiration": "2022-12-27T15:53:50.139Z",
  "value": "<secret>"
}

where <secret> is value of token.

2.3. Revoking tokens

In case when token is compromissed (3rd party has access to it) or just token is no longer useful, it is good idea to revoke it. It will remove possibility to log-in to Rarog system using revoked token, making system secure again.

To revoke token user need to sent delete request to URL {baseUrl}/rest/pat/1.0/token/<id> where <id> is id of token to remove.

Rarog comes with build in REST API documentation under path {baseUrl}/docs/swagger-ui/index.html. You can review this document to learn how to send requests or how API looks for Rarog version you use.