As an Apstrata developer, you automatically get a user directory along with you Apstrata application. A user of your application is defined by many fields but notably a login (username), a password and a name, which are mandatory.
Since Apstrata is meant to be secure, all calls to its APIs should contain some means to authenticate the caller, unless explicitly permitted by you (i.e. you declare to accept anonymous calls). Hence, when a call is made towards Apstrata on behalf of one of your users, the call should either contain a signature generated from the user's credentials ("apsws.authSig" parameter) or contain an authentication token ("apsws.token") obtained from Apstrata.
From your application, you can always verify that a given set of user credentials (signature or token) is valid by invoking the "VerifyCredentials" API.
Example: Let your users sign in to your application
In the cool mobile game app that you are developing, you would like to open up some additional features to users who have signed up and are thus known by your user directory. In addition, since you want your application to be as secure as possible, you would like to avoid storing your end user's credentials in the local storage of their mobile device. Therefore, you need to implement some kind of log in form on the client side of your app where your end users can enter their username and password. Then you need to verify these credentials and obtain some authentication tokens that you can sagely store on the client side.
First step: authenticate the end user and create an authentication token
In the above code sample, what we did is the following:
- Sign a call to the GenerateToken API using the end user's login + password (this results in adding the apsws.authSig parameter to the query string). If the signature is valid i.e. the credentials used to generate it are OK, the GenerateToken API will execute.
- Ask the GenerateToken API to return an authenticate token that is usable for authentication for 30 min (1800) and that cannot be renewed after 60 min (3600).
- Ask the GenerateToken API not to bind the generated token to any referrer (you have to configure your application once for that to work). Open the Apstrata workbench, click on "Manage App > Configuration" then set "Allow not binding to referrer" to "true").
Next: reuse the authentication token when invoking Apstrata on behalf of an end user
- Requests authentication
- Token based authentication
- VerifyCredentials API
- GenerateToken API
- RenewToken API
- DeleteToken API