API authentication via user login

First of all, the API keys are preferable to this type of authentication via user name and password.

This type cannot be used if an OIDC-based identity provider is used. In this case, the API Keys must be used in any case.

Nevertheless, an example is used to show how it works.

Login as user 'bpcadmin'

Call via CURL
curl -X POST \
     -c cookies.txt \
     -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
     "http://localhost:8181/cxf/bpc-core/authentication" \
     --data-urlencode "tenantname=DEFAULT" \
     --data-urlencode "username=bpcadmin" \
     --data-urlencode "password=bpcadmin"
Response
{
  "loginName": "bpcadmin",
  "email": "",
  "firstName": "",
  "lastName": "",
  "organisations": [ "DEFAULT" ],
  "inactiveOrganisations": [],
  "roles": [ "bpcadmin", "bpcuser" ],
  "rights": [ "loadModule_dashboard", "loadModule_account", "loadModule_blank" ],
  "principals": {
    "X-Csrf-Token": [ "_4rpjBU5_dEFBVVAVkF6LUKV1AjvdRWJSC0QLrOoZtagdFfILQoOgtGhu4X8ppd2X2kbowjl8UEp1j_tKEPaIw1c2FbcQNJfaAX-AgoiI8Cse9_FHPO9omcm8z-UE3F-_ScFZfqIL9ZRPAWWpfkM48G20OU3nu8_E5sPdIqF8EY" ],
    "org.apache.karaf.jaas.boot.principal.UserPrincipal": [ "bpcadmin" ]
  },
  "customData": {},
  "expirationDate": 1648067566204
}

You must save the cookies and keep the X-Csrf-Token from the JSON response. It will be used in the next step.

Check whether the session is valid

Call via CURL
curl -X GET \
     -b cookies.txt \
     "http://localhost:8181/cxf/bpc-core/authentication"
Response if successful
{
  "loginName": "bpcadmin",
  "email": "",
  "firstName": "",
  "lastName": "",
  "organisations": [ "DEFAULT" ],
  "inactiveOrganisations": [],
  "roles": [ "bpcadmin", "bpcuser" ],
  "rights": [ "loadModule_dashboard", "loadModule_account", "loadModule_blank" ],
  "principals": {
      "X-Csrf-Token": [ "_4rpjBU5_dEFBVVAVkF6LUKV1AjvdRWJSC0QLrOoZtagdFfILQoOgtGhu4X8ppd2X2kbowjl8UEp1j_tKEPaIw1c2FbcQNJfaAX-AgoiI8Cse9_FHPO9omcm8z-UE3F-_ScFZfqIL9ZRPAWWpfkM48G20OU3nu8_E5sPdIqF8EY" ],
      "org.apache.karaf.jaas.boot.principal.UserPrincipal": [ "bpcadmin" ]
  },
  "customData": {},
  "expirationDate": 1648067566204
}
Response if an error occurred
{
  "error": {
    "messageKey": "CORE_ERROR_IDENTITY_PROVIDER_AUTHENTICATION_FAILED",
    "code": 540,
    "name": "AUTHENTICATION_UNAUTHORIZED",
    "message": "Authentication failed",
    "properties": {}
  }
}

Call API endpoint

Set the cookies and the X-Csrf-Token.

curl -X GET \
    -b cookies.txt \
    -H 'X-Csrf-Token: _4rpjBU5_dEFBVVAVkF6LUKV1AjvdRWJSC0QLrOoZtagdFfILQoOgtGhu4X8ppd2X2kbowjl8UEp1j_tKEPaIw1c2FbcQNJfaAX-AgoiI8Cse9_FHPO9omcm8z-UE3F-_ScFZfqIL9ZRPAWWpfkM48G20OU3nu8_E5sPdIqF8EY' \
    -H 'Content-Type: application/json' \
    "http://localhost:8181/cxf/bpc-core/opensearch/indices"

The X-Csrf-Token is not required for HTTP GET calls and was only set in the example to show how this should be set for HTTP POST/PUT/DELETE calls.
Keywords:
Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen