Table of Contents |
---|
Overview
...
To enable token authentication, a few configuration settings must be added to to /usr/local/omk/conf/opCommon.nmis
for legacy modules or /usr/local/omk/conf/opCommon.json
for current:
- One or more shared keys must be set up in
auth_token_key
, - optionally, the maximum validity for tokens may be specified in
auth_token_maxage
, - and finally, the authentication method
token
must be added as one of the three supported authentication methods.
...
If you need to direct the user to a particular page rather than their Default page/Dashboard you can extend the authentication URL with "?redirect_url=" for example with the token above we can direct someone directly to the topn page as follows:
https://testsystem1.opmantek.com/omk/opCharts/login/53616c7465645f5fd95eadb039692ea599441f8089daf1d7f04ab9ccf479e37fb3afda85b3044f4cde5b15844e9be616?redirect_url=omk/opCharts//omk/opCharts/topn
Once someone is authenticated the client has accessed the first time page, they have suitable been issued auth cookies and all standard URLs work without the token strings work fine (until the time out is reached of course)string in the URL. You will want to consider how the user is handled to re-authenticate them if the session expires.
Using the token based authentication in the header
We can make API requests against the Opmantek product by passing your generated token within the header of your request.
Code Block | ||
---|---|---|
| ||
Authorization: Token <data> |
Token Content and Interoperability Notes
...
Code Block |
---|
#!/usr/bin/perl use strict; use Crypt::CBC; my ($key, $username, $tokentime) = @ARGV; die "Usage: $0 <key> <username> [timestamp] key: passphrase of arbitrary length. timestamp: optional, default: now\n" if (!$key or !$username or (defined $tokentime && !int($tokentime))); $tokentime ||= time; # what goes into the token? the token time stamp (in unix-seconds, UTC), # as a plain string, followed by exactly one space and the username. my $plain = $tokentime." ".$username; # defaults: RFC2898/pkcs#5 padding, openssl-compatible salted header mode, # and openssl-compatible key derivation function (PBKDF) - # see https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html # but crypt::cbc's default keysize is an incompatible 64 bits my $engine = Crypt::CBC->new(-key => $key, -cipher => "Rijndael", -keysize => 128/8); my $crypted = $engine->encrypt_hex($plain); print $crypted,"\n"; exit 0; |
Shell using the OpenSSL CLI
...
Code Block |
---|
#!/bin/sh KEY=$1 USER=$2 TEMPFILE=`mktemp /tmp/gentoken.XXXXXX` NOW=`date +%s` echo -n "$NOW $USER" > $TEMPFILE # see man enc: -salt -e are default, could be omitted; # openssl requires a real file as input, so we need a temp file # hexdump converts the binary bytes into their hex representation openssl aes-128-cbc -in $TEMPFILE -salt -e -pass "pass:$KEY" | \ hexdump -v -e '/1 "%02x"' echo rm -f $TEMPFILE exit 0 |
...
Python
Python's pycrypto module should contain everything required, except the OpenSSL-specific PBKDF which can be found here.