Hans Karlsen (talk | contribs) (Created page with "Normally you log into the Turnkey site manually - and the application has a auth-scheme set up. But if you want to allow api logon with and use the rest call Logon - and if yo...") |
Hans Karlsen (talk | contribs) No edit summary |
||
Line 1: | Line 1: | ||
Normally you log into the Turnkey site manually - and the application has a auth-scheme set up. But if you want to allow api | Normally you log into the Turnkey site manually - and the application has a auth-scheme set up. But if you want to allow api login with arbitrary jwt token via rest call - and if you in that case want to be able to verify a sent in bearer token as being valid concerning a set of criteria's and if so then accept the user... Read on. | ||
A New you TurnkeyRest command : /LoginWithJWT/jwttoken=token | |||
We will unpack the JWT, try to find a SysExternalJWTDefinition object that match on Kid (short for KeyIdentity) and Aud (short for Audience and this is an identifier specific for the login you did). | |||
If found we will use the values from attributes Modulus and Exponent (that you must find at the place your key was created like maybe https://accounts.google.com/.well-known/openid-configuration, these always end with [https://accounts.google.com/.well-known/openid-configuration well-known/openid-configuration]) to verify the validity of your key (we will only check that it has not expired). | |||
If the key was valid and not expired we take the email field from the key - or name if email is not present - and send it to the Method SysExternalJWTDefinition.AcceptAndTransformUserName(user:string):string | |||
if we get a non empty string from AcceptAndTransformUserName we will lookup or create a SysUser with this name, we will set any other claims from the key in SysClaims - and we will mark the user as logged in (ie - a cookie will be placed in the header so that subsequent calls to Get/Post etc will be logged in calls). |
Revision as of 12:52, 18 February 2021
Normally you log into the Turnkey site manually - and the application has a auth-scheme set up. But if you want to allow api login with arbitrary jwt token via rest call - and if you in that case want to be able to verify a sent in bearer token as being valid concerning a set of criteria's and if so then accept the user... Read on.
A New you TurnkeyRest command : /LoginWithJWT/jwttoken=token
We will unpack the JWT, try to find a SysExternalJWTDefinition object that match on Kid (short for KeyIdentity) and Aud (short for Audience and this is an identifier specific for the login you did).
If found we will use the values from attributes Modulus and Exponent (that you must find at the place your key was created like maybe https://accounts.google.com/.well-known/openid-configuration, these always end with well-known/openid-configuration) to verify the validity of your key (we will only check that it has not expired).
If the key was valid and not expired we take the email field from the key - or name if email is not present - and send it to the Method SysExternalJWTDefinition.AcceptAndTransformUserName(user:string):string
if we get a non empty string from AcceptAndTransformUserName we will lookup or create a SysUser with this name, we will set any other claims from the key in SysClaims - and we will mark the user as logged in (ie - a cookie will be placed in the header so that subsequent calls to Get/Post etc will be logged in calls).