Authentication and authorization
Authorization
ShareAspace web uses OAuth 2.0 for Authorization. Combined with an identity provider for authentication ShareAspace will issue JSON Web Tokens (JWT) for authorizing against the ShareAspace REST API.
Authentication
Developer login
The developer login extension is an authentication component that is intended for testing and development only.
Once ShareAspace web and the ShareAspace collection are configured to use the developer login the system will have only one password. Once the correct password is provided on the login screen a list of all registered ShareAspace users will be presented. Clicking on one of the users allows you to impersonate that user.
Email authentication
The email authentication extension is an authentication component that provides a simple authentication mechanism.
Once ShareAspace web and the ShareAspace collection are configured to use the email authentication users will be asked to provide their email address on the login screen. After this the user is asked for a sign in code. Provided that the user existed in ShareAspace an email will be sent to that user containing a login code that can be used for a limited time.
OpenID Connect
It is possible to setup a trust to an external identity provider in ShareAspace using OpenID Connect. Using this functionality will allow you to opt-out of using the ShareAspace Identity Server and ShareAspace Authorization Server for the OAuth 2.0 authorization flows and instead use a third party authentication/authorization provider.
See OpenID Connect documentation.
Personal access tokens
It is possible for users to generate personal access tokens (PAT). These tokens can be used for accessing the ShareAspace REST APIs, impersonating the users that created the token. These tokens can be used instead of using the JWT access tokens retrieved via OAuth 2.0 flows.
Typically the personal access tokens would be used for integration scenarios or when connecting to ShareAspace with external tools that do not allow for user interactive OAuth 2.0 authorization/authentication.
- A personal access token has a set time limit. Once the time limit is passed the token can no longer be used. An email will be sent out to the user that created the token when the token is 2 days away from expiring.
- An issued personal access token can be revoked at any time by the user that created it.
- An issued personal access token can have its time limit modified.
- When a personal access token is created an email notification will be sent to the user creating the token.
Note
ShareAspace will only provide the PAT value when it is first created. The PAT is not stored in ShareAspace so there is no way of getting the value for a specific PAT at a later time.
Important
The PAT should be kept secret and handled with care.