Sign in with credentials - Fluid Topics - Latest

Fluid Topics API Reference Guide

Category
Reference Guides
Audience
public
Version
Latest

This public web service lets users sign in to Fluid Topics using login/password credentials.

As a result, the current session is authenticated and all subsequent calls to the Fluid Topics public API take the authenticated user's profile/roles/permissions into account.

This web service works for the following authentication realms:

Method Endpoint
POST /api/authentication/login

The request must set the Content-Type: application/json header.

Request example

The following lines show an example of JSON request:

{
    "login": "jdoe@fluidtopics.com",
    "password": "My_Password",
    "rememberMe": true
}

The JSON request expects the following parameters:

Field Type Required? Description
login String Yes Expects the email address used to sign in to the Fluid Topics portal.
password String Yes Expects the password corresponding to the given login.
rememberMe Boolean No When set to true, keeps the user logged in for 30 days unless the user explicitly logs out. Defaults to false.

Response body

When credentials are OK, the web service returns enough information to know who is authenticated and in which realm:

{
    "profile": {
        "userId": "9e193047-860c-418b-8941-bfd59ca5b2a6",
        "displayName": "John Arthur Doe",
        "emailAddress": "jdoe@fluidtopics.com",
        "roles": [
            "KHUB_ADMIN",
            "PERSONAL_BOOK_USER",
            "DEBUG_USER",
            "PERSONAL_BOOK_SHARE_USER",
            "ADMIN",
            "PDF_EXPORT_USER",
            "BETA_USER",
            "PORTAL_ADMIN",
            "SAVED_SEARCH_USER",
            "USERS_ADMIN",
            "HTML_EXPORT_USER"
        ]
    },
    "authenticationIdentifier": {
        "identifier": "jdoe@fluidtopics.com",
        "realm": "Root User"
    }
}
Return code Description
200 OK Credentials are OK.
400 BAD REQUEST Invalid or missing JSON request.
401 UNAUTHORIZED Incorrect credentials.
403 FORBIDDEN Credentials are OK but the user is locked.

Where authenticationIdentifier is the user identifier and the realm for which this user is authenticated.

If multiple direct login realms are configured (internal, static, root, or LDAP), the login is attempted on all realms one by one, in the order in which they are defined in the conf.json file, and the user is signed in to the first realm that authenticates the user successfully.

OWASP compliance

This web service complies with the following OWASP Secure Software Development Lifecycle Requirements:

  • #2.2.1: Fluid Topics blocks brute-force attacks by locking accounts for 10 minutes after 3 unsuccessful login attempts, logging locked accounts, and displaying a generic HTTP 401 error message on the server side when invalid credentials are submitted.
  • #3.1.1 and #7.1.1: the response body does not contain the session identifier (sessionId).