Powered by Redocly

Login

Invoke the id-provider-auth-callback operation

Authenticate towards the system.

This endpoint will not result in the user being logged into the system and no token will be created. It is intended to be used by an identity provider that uses strongbox as an authentication backend.

SecurityaccessToken
Request
Request Body schema:
username
required
string <username>
password
required
string
otp
string

Optionally an OTP can be supplied. If an OTP is required and not provided, then an error message will be returned indicating that.

cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/id-provider-auth-callback
Request samples 
username: joe@popcorn-systems.com
password: secret-password
otp: "345789"
cookie: false
Response samples 
display-name: userpass-admin@telco.com
tenant: telco
tenant-kind: site-provider
policies:
  - default
  - root
  - user
meta:
  username: admin@telco.com
  source: userpass
  ip: 192.168.100.1
entity-alias-id: f2257e09-83a6-49e4-acaf-b5819760d297
bound-cidrs:
  - 192.168.0.0/24

Invoke the id-provider-info-callback operation

Extract user information from userpass intended to be consumed by an identity provider.

SecurityaccessToken
Request
Request Body schema:
username
required
string <username>
Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/id-provider-info-callback
Request samples 
username: joe@popcorn-systems.com
Response samples 
name: admin@acme.com
fullname: Administrator
totp: admin
metadata:
  email: joe@admin.com
no-totp-token-policies:
  - totp-enable
no-passkey-token-policies:
  - passkey-enable
token-ttl: 14d
token-max-ttl: 30d
token-policies:
  - root
token-auto-bound-cidrs: network
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
token-spiffe-jwt:
  jwt-audiences:
    - popcorn
token-spiffe-x509:
  cert-type: client
  server-ext-usage: false
  client-ext-usage: true
  code-signing-ext-usage: false
  full-authority-key-identifier: false
derived-policies:
  - default
  - root

Invoke the jwt-login operation

This endpoint allows a user or workload to login using a JWT token. The JWT is verified against the configured key source, then claim validation is performed against the specified role's constraints.

Request
Request Body schema:
tenant
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

Tenant to authenticate towards.

jwt-auth
required
string <name>

Name of the JWT auth configuration entry to authenticate against.

role
required
string <name>

Name of the JWT auth role to validate against.

jwt
required
string

JWT to authenticate with.

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/jwt-login
Request samples 
tenant: telco
jwt-auth: example
role: default
jwt: eyJhbGciOiJFUzI1NiIsImtpZCI6ImV4YW1wbGUta2V5LTEiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJ1c2VyQGV4YW1wbGUuY29tIiwiYXVkIjpbIm15YXBwIl0sImV4cCI6MTc2ODkxMjAwNiwiaWF0IjoxNzY4OTExNzA2LCJpc3MiOiJodHRwczovL2lkcC5leGFtcGxlLnRlc3Q6ODQ0MyJ9.REPLACE_ME_WITH_VALID_SIGNATURE
Response samples 
token: acd71235-18ec-4035-a4c0-7a79e1bd1ded
expires-in: 86400
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z
jwt-svid: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmcta2V5LTEifQ.eyJzdWIiOiJ1c2VyQGV4YW1wbGUuY29tIiwiYXVkIjpbIm15YXBwIl0sImV4cCI6MTc2ODkxMjAwNiwiaWF0IjoxNzY4OTExNzA2LCJpc3MiOiJodHRwczovL2lkcC5leGFtcGxlLnRlc3Q6ODQ0MyJ9.REPLACE_ME
x509-svid:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIBqTCCAU2gAwIBAgIRAMxW4bK3DbHRf6zPT8NnGQwCgYIKoZIzj0EAwIwADAe
    Fw0yMTAyMTUxNDI0MjBaFw0yMTAyMTYxNDI0MjBaMAAwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAASDnQ3VBzLjDMhkFGQREFLPEklFWy8mEcvWHQ8MKrOhWMB4GA1Ud
    EQQXMBWGFHNwaWZmZTovL2FjbWUuY29tLw==
    -----END CERTIFICATE-----
  private-key: |
    -----BEGIN EC PRIVATE KEY-----
    MHQCAQEEIOmNL4ZVXNazJM+wy3kpKTrFYMoFGJ8SqLQ4pQ9VhJgnoAoGCCqGSM49
    AwEHoWQDYgAEg50N1Qcy4wzIZBRkERBSzxJJRVsvJhHL1h0PDCqzoVjA=
    -----END EC PRIVATE KEY-----

Invoke the kubernetes-login operation

This endpoint can be used for login using a Kubernetes Service Account token.

Request
Request Body schema:
tenant
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
service
required
string <name>
role
required
string <name>
jwt
required
string
Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/kubernetes-login
Request samples 
tenant: telco
service: minikube
role: default
jwt: eyJhbGciOiJSUzI1NiIsImtpZCI6IlM0WC1vV3lqazFWVnZRNG9QUWg2c2owakItUF9wdzU2NVhBc0c2RE9PbmcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwcC1hLXRva2VuLWY5anBzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFwcC1hIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYWZiNDZkNjAtZWQ3Mi00YTAwLTk5MmYtM2QyYzE5YjMyOGE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YXBwLWEifQ.ZMrUeVWV-umxU07WZEYFUcYdSTnVSCvsBQH54yGIOzkWWknNMw9dYwGP9g_lOMwmmSCx0v54q4EAq-2CLsRrct9_zyW7W9oXRDCgr3uyCmzJpH8yUeVmPNHb60kZdP3EmjGIXseUJexd_CO82VCcH-eKdSpjkOaEYsJJ6dAZ451z9DkXQtNX9Ct0NuSbzA9mwDxPcSfjMYn_fBhSwdi-X8V5OxIxkw43V2nzb9nPesKzFxZAIr6JU7qHoUEbznfZZ4j7FbROjOZOloqSiA7TdUu1oEbNWj2zqUHvyWps_Gxl39z_Yl3azY_M6kUeuDbgrLrC4QFX9b1X6nXAkKTLcA
Response samples 
token: acd71235-18ec-4035-a4c0-7a79e1bd1ded
expires-in: 2764800
expires: 2022-01-12T15:49:54.078484Z
accessor: 601ab2f4-9e3a-4e1e-9a99-81aff088cf0e
creation-time: 2022-01-11T15:49:54.078484Z
renewal-time: 2022-01-11T15:49:54.078484Z
jwt-svid: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmcta2V5LTEifQ.eyJzdWIiOiJzcGlmZmU6Ly9hY21lLmNvbS9rOHMtZGVmYXVsdF9teS1zZXJ2aWNlLWFjY291bnQiLCJhdWQiOlsic2VydmljZS1hIl0sImV4cCI6MTY0MTk4NjU5NCwiaWF0IjoxNjQxOTAwMjAwLCJpc3MiOiJodHRwczovL2FjbWUuY29tIn0.MEUCIQCXYoQnBT4e7S4fkR5Y6mDPkqZFw4NlJi3VeRsqG1mXXAIgAKp2fVRGP1LSmX4v7Yd5U2wQdNlBtQwxlhZ3PjsqN8Bj
x509-svid:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIBqzCCAU2gAwIBAgIRALp8Qg4S3DbHWf7zRT9PnHYwCgYIKoZIzj0EAwIwADAe
    Fw0yMjAxMTExNTQ5NTRaFw0yMjAxMTIxNTQ5NTRaMAAwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAAQnQ3VBzLjDMhkFGQREFLPEklFWy8mEcvWHQ8MKrOhWMCcGA1Ud
    EQQgMB6GHHNwaWZmZTovL2FjbWUuY29tL2s4cy1ub2Rl
    -----END CERTIFICATE-----
  private-key: |
    -----BEGIN EC PRIVATE KEY-----
    MHQCAQEEIHmNL4ZVXNazJM+wy3kpKTrFYMoFGJ8SqLQ4pQ9VhJgnoAoGCCqGSM49
    AwEHoWQDYgAEJ0N1Qcy4wzIZBRkERBSzxJJRVsvJhHL1h0PDCqzoVjA=
    -----END EC PRIVATE KEY-----

Invoke the login operation

Authenticate towards the system. Providing a tenant is optional, if the username is unique in the system.

Request
Request Body schema:
username
required
string <username>
password
required
string
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
otp
string

Optionally an OTP can be supplied. If an OTP is required and not provided, then an error message will be returned indicating that.

cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/login
Request samples 
username: joe@popcorn-systems.com
password: secret-password
tenant: popcorn-systems
otp: "345789"
cookie: false
Response samples 
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z
jwt-svid: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmcta2V5LTEifQ.eyJzdWIiOiJzcGlmZmU6Ly9hY21lLmNvbS91c2VycGFzcy1qb2huZG9lIiwiYXVkIjpbInNlcnZpY2UtYSJdLCJleHAiOjE2MTM0OTE4NjAsImlhdCI6MTYxMzQwNTQ2MCwiaXNzIjoiaHR0cHM6Ly9hY21lLmNvbSJ9.MEYCIQCwxlhZ3PjsqN8BjKp2fVRGP1LSmX4v7Yd5U2wQdNlBtQIhAOT3fRY6mDPkqZFw4NlJi3VeRsqG1mXXYoQnBT4e7S4f
x509-svid:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIBpTCCAU2gAwIBAgIRAK3mG9HJ2+CaGVd4yFR5NlcwCgYIKoZIzj0EAwIwADAe
    Fw0yMTAyMTUxNDI0MjBaFw0yMTAyMTYxNDI0MjBaMAAwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAAT6VjMQBUBXi3gp9gXvqPdZcAkrj82vqc8JIK3RJPXMB0GA1Ud
    EQQWMBSGEnNwaWZmZTovL2FjbWUuY29t
    -----END CERTIFICATE-----
  private-key: |
    -----BEGIN EC PRIVATE KEY-----
    MHQCAQEEIBqnpXcvymDiWo9cMxmE2Cg3JNFh4HLiCbI+XE7ZzpFioAoGCCqGSM49
    AwEHoWQDYgAE+lYzEAVAV4t4KfYF76j3WXAJKip3RJPXM7FH4UDgxhE=
    -----END EC PRIVATE KEY-----
totp-required: true
totp-enabled: true
passkey-required: true
passkey-enabled: true

Invoke the oidc-callback operation

This endpoint completes the OpenID Connect (OIDC) authentication process.

Workflow:

  1. After successful authentication, the OIDC provider redirects the client to this endpoint (or an equivalent web backend endpoint that forwards the request).

  2. The request must include the following query parameters:

    • state: A unique value used to prevent CSRF attacks.
    • code: The authorization code used to obtain a token.
    • nonce (optional): A value originally provided by the client to prevent replay attacks.

  3. If authentication is successful, a valid token is returned.

Expected Input:

  • The state and code parameters are required and must match the expected values.
  • The nonce parameter is optional but is verified if present.

Response:

  • A valid authentication token.
  • A message field containing additional information about the authentication result.

Security Considerations:

  • Ensure that the state value is validated to mitigate CSRF attacks.
  • If a nonce was provided during login, it is checked to prevent replay attacks.
  • All input parameters are marked as sensitive and should be handled securely.

This endpoint is typically called by frontend applications or backend services handling the OIDC login flow.

Request
Request Body schema:
state
string
code
string
nonce
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-callback
Request samples 
state: addbf712-95d1-4058-be82-45b76fc04e5c
code: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
nonce: ee8342cc-7273-4409-99c6-3ca5d894652e
Response samples 
message: Login succeeded
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z
jwt-svid: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmcta2V5LTEifQ.eyJzdWIiOiJzcGlmZmU6Ly9hY21lLmNvbS91c2VycGFzcy1qb2huZG9lIiwiYXVkIjpbInNlcnZpY2UtYSJdLCJleHAiOjE2MTM0OTE4NjAsImlhdCI6MTYxMzQwNTQ2MCwiaXNzIjoiaHR0cHM6Ly9hY21lLmNvbSJ9.MEYCIQCwxlhZ3PjsqN8BjKp2fVRGP1LSmX4v7Yd5U2wQdNlBtQIhAOT3fRY6mDPkqZFw4NlJi3VeRsqG1mXXYoQnBT4e7S4f
x509-svid:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIBpTCCAU2gAwIBAgIRAK3mG9HJ2+CaGVd4yFR5NlcwCgYIKoZIzj0EAwIwADAe
    Fw0yMTAyMTUxNDI0MjBaFw0yMTAyMTYxNDI0MjBaMAAwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAAT6VjMQBUBXi3gp9gXvqPdZcAkrj82vqc8JIK3RJPXMB0GA1Ud
    EQQWMBSGEnNwaWZmZTovL2FjbWUuY29t
    -----END CERTIFICATE-----
  private-key: |
    -----BEGIN EC PRIVATE KEY-----
    MHQCAQEEIBqnpXcvymDiWo9cMxmE2Cg3JNFh4HLiCbI+XE7ZzpFioAoGCCqGSM49
    AwEHoWQDYgAE+lYzEAVAV4t4KfYF76j3WXAJKip3RJPXM7FH4UDgxhE=
    -----END EC PRIVATE KEY-----

Invoke the oidc-callback operation

This endpoint completes the OpenID Connect (OIDC) authentication process.

Workflow:

  1. After successful authentication, the OIDC provider redirects the client to this endpoint (or an equivalent web backend endpoint that forwards the request).

  2. The request must include the following query parameters:

    • state: A unique value used to prevent CSRF attacks.
    • code: The authorization code used to obtain a token.
    • nonce (optional): A value originally provided by the client to prevent replay attacks.

  3. If authentication is successful, a valid token is returned.

Expected Input:

  • The state and code parameters are required and must match the expected values.
  • The nonce parameter is optional but is verified if present.

Response:

  • A valid authentication token.
  • A message field containing additional information about the authentication result.

Security Considerations:

  • Ensure that the state value is validated to mitigate CSRF attacks.
  • If a nonce was provided during login, it is checked to prevent replay attacks.
  • All input parameters are marked as sensitive and should be handled securely.

This endpoint is typically called by frontend applications or backend services handling the OIDC login flow.

Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

state
string
code
string
nonce
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/oidc-callback
Response samples 
message: Login succeeded
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z
jwt-svid: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmcta2V5LTEifQ.eyJzdWIiOiJzcGlmZmU6Ly9hY21lLmNvbS91c2VycGFzcy1qb2huZG9lIiwiYXVkIjpbInNlcnZpY2UtYSJdLCJleHAiOjE2MTM0OTE4NjAsImlhdCI6MTYxMzQwNTQ2MCwiaXNzIjoiaHR0cHM6Ly9hY21lLmNvbSJ9.MEYCIQCwxlhZ3PjsqN8BjKp2fVRGP1LSmX4v7Yd5U2wQdNlBtQIhAOT3fRY6mDPkqZFw4NlJi3VeRsqG1mXXYoQnBT4e7S4f
x509-svid:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIBpTCCAU2gAwIBAgIRAK3mG9HJ2+CaGVd4yFR5NlcwCgYIKoZIzj0EAwIwADAe
    Fw0yMTAyMTUxNDI0MjBaFw0yMTAyMTYxNDI0MjBaMAAwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAAT6VjMQBUBXi3gp9gXvqPdZcAkrj82vqc8JIK3RJPXMB0GA1Ud
    EQQWMBSGEnNwaWZmZTovL2FjbWUuY29t
    -----END CERTIFICATE-----
  private-key: |
    -----BEGIN EC PRIVATE KEY-----
    MHQCAQEEIBqnpXcvymDiWo9cMxmE2Cg3JNFh4HLiCbI+XE7ZzpFioAoGCCqGSM49
    AwEHoWQDYgAE+lYzEAVAV4t4KfYF76j3WXAJKip3RJPXM7FH4UDgxhE=
    -----END EC PRIVATE KEY-----

Invoke the oidc-login operation

This endpoint initiates an OpenID Connect (OIDC) authentication flow, typically used by web applications to authenticate users.

Workflow:

  1. Invoke oidc-login to obtain a redirect URL.
  2. Redirect the client to the provided URL for authentication with the OIDC provider.
  3. Once authentication is complete, the OIDC provider redirects the client to the configured callback URL, including code, state, and optionally nonce as query parameters. The callback URL may be the oidc-callback endpoint directly, or a callback in the web backend that performs 4.
  4. Call oidc-callback with these parameters to complete authentication and receive a valid token.

Default Behavior:

  • If no parameters are provided, the system:
    • First checks for an OIDC configuration at the system tenant.
    • If unavailable, it checks the edge-provider tenant.
    • If no OIDC configuration is found, the default value is used.

This endpoint supports login initiation with optional parameters to specify the tenant, OIDC provider, and role.

Request
Request Body schema:
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

Defaults to system tenant, if no oidc has been configured for the system tenant, then defaults to the site provider.

oidc
string <name>

Defaults to the value of oidc-settings/default-service.

role
string <name>

Defaults to the configured default role.

terminal
boolean
Default: false
cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-login
Request samples 
tenant: acme
oidc: qlik
role: default
terminal: false
cookie: false
Response samples 
url: http://192.168.100.36:9000/auth?client_id=JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng&response_type=code&redirect_uri=https%3A%2F%2F192.168.100.101%3A4646%2Fv1%2Foidc-callback&scope=openid+profile+email+avassa&state=M2Q3MmU5YmMtNDhmOC00Njg0LWJmY2YtNDJlYTg2ZmQ2NmZhOmZvby5hY21lLmNvbQ%3D%3D&nonce=52b947c5-38de-4fda-95ba-fcaa34f97a5f
terminal-id: eecfbbef-f61e-4a4f-8f97-1924c089181d
state: addbf712-95d1-4058-be82-45b76fc04e5c

Invoke the oidc-validate-state operation

This endpoint validates the integrity of the state parameter before performing any additional redirects during an OpenID Connect (OIDC) authentication flow.

Purpose:

  • The state parameter is used to prevent CSRF attacks and track authentication sessions in OIDC.
  • Some backend implementations may inspect state to determine an additional redirect URL based on its contents, such as a state-addition field.
  • Since any such redirect URL is not verified by the OIDC provider, this endpoint can be used to ensure that state remains unchanged before executing any redirection. A HMAC can also be added to ensure that the state has not been manipulated. This is configured using the state-hmac-key setting.

Expected Input:

  • state (required): A unique value originally sent in the OIDC authentication request.
  • Additional fields may be present in the request but are ignored.

Response:

  • valid (boolean): Returns true if the state is unchanged, ensuring that no CSRF attack is in progress.

Use Case:

  • When a backend wants to introduce an additional redirect based on the state contents, it can use this endpoint to verify the state before proceeding.
  • This extra validation step helps mitigate CSRF attacks, ensuring that only valid authentication flows proceed.
Request
Request Body schema:
state
string
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/oidc-validate-state
Request samples 
state: addbf712-95d1-4058-be82-45b76fc04e5c
Response samples 
valid: true

Invoke the passkey-challenge operation

Create a passkey challenge

Request
Request Body schema:
username
required
string <username>

This is a mandatory field representing the username of the user trying to log in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

This is an optional field that specifies the tenant (organization) the user is associated with.

terminal-id
string

This should only be set if the request originated through a command line passkey login request.

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-challenge
Request samples 
username: johndoe
tenant: example-tenant
terminal-id: f5dc5c45-0f7f-477d-8638-7e1398761a23
Response samples 
challenge: Z2hXb1pRcU82eHlvbWt1UEFRY2I=
rpId: example.com
allowCredentials:
  - id: A1B2C3D4E5F6G7H8I9J0
    type: public-key
  - id: H7I8J9K0L1M2N3O4P5Q6
    type: public-key
timeout: 60000

Invoke the passkey-login operation

Initiates passkey login from the command line.

Request
Request Body schema:
username
required
string <username>

The username of the user logging in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

The tenant (optional), which refers to the organization the user is associated with.

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-login
Request samples 
username: johndoe
tenant: example-tenant
Response samples 
url: https://login.avassa.io?terminal_id=f5dc5c45-0f7f-477d-8638-7e1398761a23
terminal-id: f5dc5c45-0f7f-477d-8638-7e1398761a23

Invoke the passkey-login-assertion operation

Performs a passkey login with the parameters signed by the browser.

Request
Request Body schema:
username
required
string <username>

The username of the user logging in.

tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

The tenant (optional), which refers to the organization the user is associated with.

credentialId
required
string

The identifier of the passkey credential used for the login attempt.

required
object
cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/passkey-login-assertion
Request samples 
username: johndoe
tenant: example-tenant
credentialId: A1B2C3D4E5F6G7H8I9J0
response:
  authenticatorData: q2x3fGZvbUdlWGR3dz09YXV0aGVudGljYXRvcg==
  clientDataJSON: eyAiY2hhbGxlbmdlIjogIlpITm1MMEZ1WVc0PSIsICJvcmlnaW4iOiAiaHR0cHM6Ly9leGFtcGxlLmNvbSIsICJ0eXBlIjogIndlYmF1dGhuLmdldCIsICJjcm9zc09yaWdpbiI6IGZhbHNlIH0=
  signature: MEUCIQD2d45ksjdflkj343sldkjflskdfjslkdjf4=
  userHandle: abcd1234
cookie: false
Response samples 
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huZG9lIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
expires-in: 3600
expires: 2024-09-27T12:34:56Z
accessor: some-accessor-identifier
creation-time: 2024-09-27T11:34:56Z
renewal-time: 2024-09-27T11:34:56Z
jwt-svid: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmcta2V5LTEifQ.eyJzdWIiOiJzcGlmZmU6Ly9hY21lLmNvbS91c2VycGFzcy1qb2huZG9lIiwiYXVkIjpbInNlcnZpY2UtYSJdLCJleHAiOjE3Mjc0MzUyOTYsImlhdCI6MTcyNzQzMTY5NiwiaXNzIjoiaHR0cHM6Ly9hY21lLmNvbSJ9.MEYCIQCfVRGP1LSmX4v7Yd5U2wQdNlBtQwxlhZ3PjsqN8BjKpAIhAOT3fRY6mDPkqZFw4NlJi3VeRsqG1mXXYoQnBT4e7S4f
x509-svid:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIBpTCCAU2gAwIBAgIRANf6Rp4T3DbHXf8zSU0QmHAwCgYIKoZIzj0EAwIwADAe
    Fw0yNDA5MjcxMTM0NTZaFw0yNDA5MjgxMTM0NTZaMAAwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAAQzEAVAV4t4KfYF76j3WXAJKip3RJPXM7FH4UDgxhE6VjMQMB0G
    A1UdEQQWMBSGEnNwaWZmZTovL2FjbWUuY29t
    -----END CERTIFICATE-----
  private-key: |
    -----BEGIN EC PRIVATE KEY-----
    MHQCAQEEIGqnpXcvymDiWo9cMxmE2Cg3JNFh4HLiCbI+XE7ZzpFioAoGCCqGSM49
    AwEHoWQDYgAEMxAFQFeLeCn2Be+o91lwCSoqd0ST1zOxR+FA4MYROFY=
    -----END EC PRIVATE KEY-----

Invoke the re-authenticate operation

Re-authenticate towards the system. This operation is used when step-up authentication is required.

SecurityaccessToken
Request
Request Body schema:
username
required
string <username>
password
required
string
otp
string

Optionally an OTP can be supplied. If an OTP is required and not provided, then an error message will be returned indicating that.

cookie
boolean
Default: false

When set to true and on successful authentication, a token is returned as a cookie named sessionid (instead of being returned in the payload).

Responses
204

No Content

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/re-authenticate
Request samples 
username: joe@popcorn-systems.com
password: secret-password
otp: "345789"
cookie: false
Response samples
No sample

Invoke the spiffe-login operation

This endpoint allows a user or workload to login using JWT-SVID.

Request
Request Body schema:
tenant
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

Tenant to authenticate towards.

spiffe
required
string <name>

Name of the SPIFFE trust domain configuration entry to authenticate against.

jwt-svid
required
string

JWT-SVID obtained from external system.

Responses
200

OK

400
401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/spiffe-login
Request samples 
tenant: system
spiffe: spire
jwt-svid: eyJhbGciOiJFUzI1NiIsImtpZCI6IkxMZHNJWW1kTmxJTTIyUkxkTG0zb0FqZFNzOWhPYmx3IiwidHlwIjoiSldUIn0.eyJhdWQiOlsiYXZhc3NhIl0sImV4cCI6MTc2ODkxMjAwNiwiaWF0IjoxNzY4OTExNzA2LCJpc3MiOiJodHRwczovL29pZGMtZGlzY292ZXJ5LXByb3ZpZGVyLmV4YW1wbGUub3JnIiwic3ViIjoic3BpZmZlOi8vZXhhbXBsZS5vcmcvd29ya2xvYWQvZGVtbyJ9._0VXWmqvX9iyj-cVcHaw8_z8RXGilBF8orREDObDuWDR9whQ0LdTHrZcdjq-Gz0Mg2TfiEjQgcvvZQ9Zo4Dumg
Response samples 
token: 09715875-ac45-4ad7-bfad-00eea3949094
expires-in: 1209600
expires: 2021-02-16T14:24:20.030665Z
accessor: 3be91214-176c-4b4d-bae7-4c432f342661
creation-time: 2021-02-15T14:24:20.030665Z
renewal-time: 2021-02-15T14:24:20.030665Z
jwt-svid: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmcta2V5LTEifQ.eyJzdWIiOiJzcGlmZmU6Ly9hY21lLmNvbS9teS13b3JrbG9hZCIsImF1ZCI6WyJzZXJ2aWNlLWEiXSwiZXhwIjoxNjEzNDkxODYwLCJpYXQiOjE2MTM0MDU0NjAsImlzcyI6Imh0dHBzOi8vYWNtZS5jb20ifQ.MEYCIQDkR5Y6mDPkqZFw4NlJi3VeRsqG1mXXYoQnBT4e7S4fIAIhALGPhZ3PjsqN8BjKp2fVRGP1LSmX4v7Yd5U2wQdNlBtQ
x509-svid:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIBqTCCAU2gAwIBAgIRAMxW4bK3+DbHRf6zPT8NnGQwCgYIKoZIzj0EAwIwADAe
    Fw0yMTAyMTUxNDI0MjBaFw0yMTAyMTYxNDI0MjBaMAAwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAASDnQ3VBzLjDMhkFGQREFLPEklFWy8mEcvWHQ8MKrOhWMB4GA1Ud
    EQQXMBWGFHNwaWZmZTovL2FjbWUuY29tLw==
    -----END CERTIFICATE-----
  private-key: |
    -----BEGIN EC PRIVATE KEY-----
    MHQCAQEEIOmNL4ZVXNazJM+wy3kpKTrFYMoFGJ8SqLQ4pQ9VhJgnoAoGCCqGSM49
    AwEHoWQDYgAEg50N1Qcy4wzIZBRkERBSzxJJRVsvJhHL1h0PDCqzoVjA=
    -----END EC PRIVATE KEY-----
➔ Next to Logout