This public web service lets users sign in to Fluid Topics using login/password credentials.
As a result, the current session is authenticated and all subsequent calls to the Fluid Topics public API take the authenticated user's profile/roles/permissions into account.
This web service works for the following authentication realms:
Method | Endpoint |
---|---|
POST |
/api/authentication/login |
The request must set the Content-Type: application/json
header.
Request example
The following lines show an example of JSON request:
{
"login": "jdoe@fluidtopics.com",
"password": "My_Password",
"rememberMe": true
}
The JSON request expects the following parameters:
Field | Type | Required? | Description |
---|---|---|---|
login |
String | Yes | Expects the email address used to sign in to the Fluid Topics portal. |
password |
String | Yes | Expects the password corresponding to the given login. |
rememberMe |
Boolean | No | When set to true , keeps the user logged in for 30 days unless the user explicitly logs out. Defaults to false . |
If multiple direct login realms are configured (internal, static, root, or LDAP), the login is attempted on all realms one by one, in the order in which they are defined in the conf.json
file, and the user is signed in to the first realm that authenticates the user successfully.
Response body
When credentials are OK, the web service returns enough information to know who is authenticated and in which realm:
{
"profile": {
"userId": "9e193047-860c-418b-8941-bfd59ca5b2a6",
"displayName": "John Arthur Doe",
"emailAddress": "jdoe@fluidtopics.com",
"roles": [
"KHUB_ADMIN",
"PERSONAL_BOOK_USER",
"DEBUG_USER",
"PERSONAL_BOOK_SHARE_USER",
"ADMIN",
"PDF_EXPORT_USER",
"BETA_USER",
"PORTAL_ADMIN",
"SAVED_SEARCH_USER",
"USERS_ADMIN",
"HTML_EXPORT_USER"
]
},
"authenticationIdentifier": {
"identifier": "jdoe@fluidtopics.com",
"realm": "Root User"
}
}
Field | Type | Description |
---|---|---|
profile |
Object | An object containing information about the user. |
userId |
String | The identifier of the connected user. |
displayName |
String | The display name of the user. |
emailAddress |
String | The email address of the user. |
roles |
Array | Indicates the roles of the user. |
authenticationIdentifier |
Object | Information about the authentication of the user. |
identifier |
String | The user identifier in the realm. |
realm |
String | Indicates the realm to which the user belongs. |
Return code | Description |
---|---|
200 OK |
Credentials are OK. |
400 BAD REQUEST |
Invalid or missing JSON request. |
401 UNAUTHORIZED |
Incorrect credentials. |
403 FORBIDDEN |
Credentials are OK but the user is locked. |
OWASP compliance
This web service complies with the following OWASP Secure Software Development Lifecycle Requirements:
- #2.2.1: Fluid Topics blocks brute-force attacks by locking accounts for 10 minutes after 3 unsuccessful login attempts, logging locked accounts, and displaying a generic HTTP 401 error message on the server side when invalid credentials are submitted.
- #3.1.1 and #7.1.1: the response body does not contain the session identifier (
sessionId
).