login-service
login-service is a standalone minimalistic login server providing a (JWT)[https://jwt.io/] login for multiple login backends.
Abstract
login-service provides a minimal endpoint for authentication. The login is
then performed against the providers and returned as Json Web Token.
Supported Provider
The following providers (login backends) are supported.
- (OSIAM)[http://osiam.org/]
OSIAM is a secure identity management solution providing REST based services for authentication and authorization.
It implements the multplie OAuth2 flows, as well as SCIM for managing the user data.
- Simple (user/password pairs by configuration)
Future Planed Features
- Support for 3-leged-Oauth2 flow (OSIAM, Google, Facebook login)
- Backend for checking agains .htaccess file
- Caddyserver middleware
API
GET /login
Returns a simple bootstrap styled login form.
The returned html follows the ui composition conventions from (lib-compose)[https://github.com/tarent/lib-compose],
so it can be embedded into an existing layout.
POST /login
Does the login and returns the JWT. Depending on the content-type, and parameters a classical JSON-Rest or a redirect can be performed.
Parameters
Parameter-Type |
Parameter |
Description |
|
Http-Header |
Accept: text/html |
Set the JWT-Token as Cookie 'jwt_token'. |
default |
Http-Header |
Accept: application/jwt |
Returns the JWT-Token within the body. No Cookie is set. |
|
Http-Header |
Content-Type: application/x-www-form-urlencoded |
Expect the credentials as form encoded parameters. |
default |
Http-Header |
Content-Type: application/json |
Take the credentials from the provided json object. |
|
Post-Parameter |
username |
The username |
|
Post-Parameter |
password |
The password |
|
Config-Parameter |
success-url |
The url to redirect on success |
(default /) |
Possible Return Codes
Code |
Meaning |
Description |
200 |
OK |
Successfully authenticated |
403 |
Forbidden |
The Credentials are wrong |
400 |
Bad Request |
Missing parameters |
500 |
Internal Server Error |
Internal error, e.g. the login provider is not available or failed |
303 |
See Other |
Sets the JWT as a cookie, if the login succeeds and redirect to the urls provided in redirectSuccess or redirectError |
Hint: The status 401 Unauthorized
is not used as a return code to not conflict with an Http BasicAuth Authentication.
Example:
Default is to return the token as Content-Type application/jwt within the body.
curl -i --data "username=foo&password=bar" http://127.0.0.1:6789/login
HTTP/1.1 200 OK
Content-Type: application/jwt
Date: Fri, 11 Feb 2022 21:32:27 EST
Content-Length: 100
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb28ifQ.wlTUsPIX9A5guOq0TrsoFXWDdeX-gI1auvmIuiWq7VE
Example: Credentials as JSON
The Credentials also could be send as JSON encoded.
curl -i -H 'Content-Type: application/json' --data '{"username": "foo", "password": "bar"}' http://127.0.0.1:6789/login
HTTP/1.1 200 OK
Content-Type: application/jwt
Date: Fri, 11 Feb 2022 21:34:22 EST
Content-Length: 100
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb28ifQ.wlTUsPIX9A5guOq0TrsoFXWDdeX-gI1auvmIuiWq7VE
Example: web based flow with 'Accept: text/html'
Sets the jwt token as cookie and redirects to a web page.
curl -i -H 'Accept: text/html' --data "username=foo&password=bar" http://127.0.0.1:6789/login
HTTP/1.1 303 See Other
Location: /
Set-Cookie: jwt_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb28ifQ.wlTUsPIX9A5guOq0TrsoFXWDdeX-gI1auvmIuiWq7VE; HttpOnly
Provider
Osiam
To start loginsrv against the default osiam configuration on the same machine, use the following example.
loginsrv --jwt-secret=jwtsecret --text-logging -backend 'provider=osiam,endpoint=http://localhost:8080,clientId=example-client,clientSecret=secret'
Then go to http://127.0.0.1:6789/login and login with admin/password
.