Authentication

Every Lagertha user must be authenticated to use the Lagertha API.

An authenticated user is one who has a valid access_token.

All authenticated API calls must include the Authorization header with the value Bearer <access_token>.

To obtain the Lagertha access_token, there are two possibilities:

OpenId connect
Oauth

Method 1: OpenId Connect

Authentication with the Lagertha API

Send a POST request to authenticate the user and obtain an access_token.

curl -X POST https://<BASE_URL>:<PORT>/auth \
-H "Content-Type: application/json" \
-d '{
  "login": "<LOGIN_SUPER_ADMIN>",
  "password": "<PASSWORD_SUPER_ADMIN>",
  "application_id": 0,
  "fingerprint": "<UNIQUE_DEVICE_ID>"
}'

Response

{
  "access_token": "<access_token>",
  "token_type": "Bearer",
  "refresh_token": "<refresh_token>",
  "open_id": "<open_id>"
}

Store the access_token on the client side for later use.

Authentication with the Third-Party API

Use the open_id to verify validity with the third-party API.

curl -X POST https://<BASE_URL>:<PORT>/oidc/verify \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <access_token_third_part_api>" \
-H "X-NONCE: <RANDOM_NONCE>" \
-H "X-FINGERPRINT: <UNIQUE_DEVICE_ID> \
-d '{
  "open_id_token": "<open_id>"
}'

Response

{
  "id": "string",
  "email": "string",
  "firstname": "string",
  "lastname": "string",
  "login": "string",
  "roles": [
    "string"
  ],
  "created_at": "string"
}

If the token is valid, you will receive the user information in return.

The third-party API can then log in the user and provide their own authentication token.

Method 2: OAuth

Authentication with the Third-Party API

The third-party API generates a unique code (state) and verifies with the Lagertha API if a user exists by providing their ID.

curl -X GET https://<BASE_URL>:<PORT>/oauth/token?client_id=<CLIENT_ID>&state=<STATE> \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <access_token_third_part_api>" \
-H "X-NONCE: <RANDOM_NONCE>" \
-H "X-FINGERPRINT: <UNIQUE_DEVICE_ID> \

In return, the third-party API retrieves an authorization_code.

{
  "authorization_code": "string"
}

The third-party API can then log in the user by providing their access token, the authorization_code, and the generated state.

Validation and Exchange of the Authorization Code

The client can now exchange their authorization_code for an access_token from the Lagertha API.

curl -X POST https://<BASE_URL>:<PORT>/oauth/authorize \
-H "Content-Type: application/json" \
-d '{
  "authorization_code": "<AUTHORIZATION_CODE>",
  "state": "<STATE>",
  "application_id": 0,
  "fingerprint": "<UNIQUE_DEVICE_ID>"
}'

Response:

{
  "access_token": "<access_token>",
  "token_type": "Bearer",
  "refresh_token": "<refresh_token>",
  "open_id": "<open_id>"
}

Using the Refresh Token

A refresh_token is also returned during the initial authentication. This token allows obtaining a new access_token without requiring a full re-authentication.

Renewing the Access Token

To renew an access_token, send a POST request with the refresh_token.

curl -X POST https://<BASE_URL>:<PORT>/auth/refresh \
-H "Content-Type: application/json" \
-d '{
  "refresh_token": "<refresh_token>",
  "application_id": 0,
  "fingerprint": "<UNIQUE_DEVICE_ID>"
}'

Response:

{
  "access_token": "<new_access_token>",
  "token_type": "Bearer",
  "refresh_token": "<new_refresh_token>"
}

Store the new access_token and refresh_token on the client side for later use.

Two-Factor Authentication (MFA)

To enhance security, the Lagertha API supports two-factor authentication (MFA). This adds an extra layer of security by requiring a verification code in addition to the password.

Enabling MFA

To enable MFA, the user must generate a Time-based One-Time Password (TOTP) code.

curl -X GET https://<BASE_URL>:<PORT>/users/2fa/code \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <access_token>"

Réponse:

{
  "totp_url": "<totp_url>"
}

The user can use this URL to set up their authentication app (like Google Authenticator).

Verification and Activation of MFA

The user verifies the TOTP code to activate MFA.

curl -X PUT https://<BASE_URL>:<PORT>/users/2fa/activate \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <access_token>" \
-d '{
  "code": "<TOTP_CODE>",
  "is_activate": true
}'

Authentication with MFA

After enabling MFA, the user must provide the TOTP code at each login.

curl -X POST https://<BASE_URL>:<PORT>/auth \
-H "Content-Type: application/json" \
-d '{
  "login": "<LOGIN_SUPER_ADMIN>",
  "password": "<PASSWORD_SUPER_ADMIN>",
  "application_id": 0,
  "fingerprint": "<UNIQUE_DEVICE_ID>",
  "code_2fa": "<TOTP_CODE>"
}'

Response :

{
  "access_token": "<access_token>",
  "token_type": "Bearer",
  "refresh_token": "<refresh_token>",
  "open_id": "<open_id>"
}

Authentication

Method 1: OpenId Connect​

Authentication with the Lagertha API​

Authentication with the Third-Party API​

Method 2: OAuth​

Authentication with the Third-Party API​

Validation and Exchange of the Authorization Code​

Using the Refresh Token​

Renewing the Access Token​

Two-Factor Authentication (MFA)​

Enabling MFA​

Verification and Activation of MFA​

Authentication with MFA​

Method 1: OpenId Connect

Authentication with the Lagertha API

Authentication with the Third-Party API

Method 2: OAuth

Authentication with the Third-Party API

Validation and Exchange of the Authorization Code

Using the Refresh Token

Renewing the Access Token

Two-Factor Authentication (MFA)

Enabling MFA

Verification and Activation of MFA

Authentication with MFA