ODH Authentication - noi-techpark/documentation GitHub Wiki

Authentication in ODH is mainly used in the part of the tool which exposes data to the consumer, which means in the Reader of the core-module and in every single webservice accessing the Reader. The authentication mechanism follows the rfc standard https://tools.ietf.org/html/rfc6749#page-4 and uses JWT tokens as defined in https://tools.ietf.org/html/rfc7519#section-3 to send claims.

Authentication mechanism

To give a small overview of the oauth2 mechanism, we will try to list the steps between client and server:

  1. The client requests a grant to access resources on the Authorisazion-server(in our case the Reader)
  2. The authorization server responds with a refresh token and an access token, the access token will also have an expire date
  3. The access token can now be used to access protected resources on the resource-server(which in our case is still the reader). To do that add your token as Bearer token in you Authorization header.
  4. If the access-token expires, you'll get a 401 Unauthorized response. In this case you'll need to request a new access-token, and passing your refresh-token in the Authorization header as Bearer-token.

While the reader has the whole authentication mechanism implemented, webservices act as clients/proxies which request data in the given standards. You can test this on our test environment http://bdp-test-env.b7twwguhvj.eu-west-1.elasticbeanstalk.com/emobility

Try it out on our test environment

Try to reproduce the steps like this:

  • (1&2) Use Swagger, which you find on the landing page to request a grant with the call "/rest/refresh-token", use '[email protected]' as user and '123456789' as password. Try another password to see how the server reacts :smiley:
  • (3) Since only part of the API is secured with authentication, try one of the calls which need authorization. For Example: /rest/get-records, in this case you also need to get some parameters from the non auth calls. As long as you get a 200 OK response your authentication succeded. If you don't get any data it might be, because you don't have the authorisation to do so.
  • (4) In case your access token expired you will get 401 Unauthorized and in this case you can get a new one by using /rest/refresh-token to request a new one. For that you will need your Refresh-token in the authorization header with the 'Bearer ' prefix.

Some times it's possible that you get a positive response with no data attached. That can be for 2 reasons:

  • There is corrently no such data
  • You don't have the authorization to access this data To get a better understanding on Authorization refer to our authorization section