How is the Token handled by the ODH Api? - noi-techpark/odh-docs GitHub Wiki

If no token is passed to ODH, the api will treat the requestor as anonymous user and return only open data records & fields.
The token has to be in JWT Format (https://jwt.io/) otherwise the validation will be skipped.
If expired/not valid JWT tokens are passed to ODH, the token will be validated and a proper HTTP Response (401) is returned. This makes the api more transparent, otherwise there is the risk of being threatened like an anonymous user without getting knowledge of it.
Here all infos about how ODH handles tokens:

  • passing no bearer token --> 200 Ok, token is omitted, response returned for anonymous user
  • passing some string as bearer token (no jwt) --> 200 OK, token is omitted, because it is not recognized as JWT Token, response returned for anonymous user
  • passing wrong bearer token --> 401 unauthorized, no response
  • passing expired bearer token --> 401 unauthorized, no response
  • passing valid bearer token without the right role for acceding protected resource --> 403 Forbidden, no response
  • passing valid bearer token with the right role for acceding protected resource --> 200 Ok, response for logged user is returned