-
Notifications
You must be signed in to change notification settings - Fork 0
authentication
#Authentication While using GlyphX some of (in fact most of) the APIs requires an authentication. This simply means that each request you are making should be authenticated with one of the mechanisms provided by GlyphX. GlyphX supports two methods for API authentication
An introduction to basic auth can be found here. Each request header will contain the user credentials (username and password) encoded using base64. GlyphX will perform an authentication based on the supplied credentials and accept or reject the request. Since all requests are made over HTTPS, they are safe from man in the middle attack. Most of the programming languages will provide libraries to make HTTP request which support basic auth automatically
In this auth method, the authentication is done in two steps
- A login is performed using the given credentials (username and password). The response will include a session ID in the body under a key
session_key - All further request will be accompanied by the session ID which will authenticate the request.
- A logout request is performed when the task is over and the session ID will be invalidated
Login is done using a POST request to http://<baseurl>/login/ with the username and password. The response will contain the token which has to be attached to every further request. The token is valid either for a specified duration or till you logout by POSTing to http://<base url>/logout/.
In order to authenticate the API attach a valid session ID as a header
sessionid=<session ID>
Once you are logged in, all future requests will be screened through two authentication mechanisms
AccessAuth screens to check if the user making the request has the required access to the asset requested. In a real world example, if a user requested to see the results of a form, the system will check if she should be able to perform the specified action on it. Access is defined through Teams and Accounts. An account is an enterprise subscribing to GlyphX service. Accounts will have multiple teams which are groups of users. Teams own Assets. So an access screening is simply checking if the user belongs to a team with the required access to the asset.
FuctionAuth handles the type of access that the user (or Team) should have. It uses the magic of REST by using the verb (POST, GET, DELETE, PUT) to understand the type of action to be performed. Each team will be allowed only certain (or all) actions on assets.
For GlyphX customers this allows for very detailed and flexible access controls. They can create teams with differing access of various assets and add users to it. Users can belong to multiple teams. So we can have a user whose only function is to scan and create forms. She can belong to all the teams and therefore able to create forms for all the teams. But she will not be able to see the results of a single scan since the only access will be of type create (POST)