Skip to content

Authentication

Jump to bottom
Steve Ives edited this page May 27, 2020 · 7 revisions

Harmony Core Logo

Authentication

Authentication is a process by which a specific user is granted or denied access to a service based on their identity.

Harmony Core supports authentication through standards-based security mechanisms that require clients to initially present some kind of user credentials (perhaps a username and password pair, a unique API-key or some other secret value) and, if the credentials are determined to be valid, the client will receive back a secure token. That token can then be presented back to the service during subsequent requests to prove that the user has previously been authenticated.

The actual tokens that are used in this scenario are called JSON Web Token, and are often referred to as "JWT's".

Briefly, a JWT is a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. Because JWT's are signed, any party can verify the integrity of the information (usually referred to as "claims") contained within the token, but a signed JWT does not HIDE the value of those claims (there are other ways to do that if necessary). So a JWT should not be used to transmit secret or sensitive information. JWT's also typically have an expiration time, after which they can are no longer valid.

Once a client has obtained a JWT, it must return it to the server on each subsequent HTTP call. This is done by including a custom HTTP request header named Authorization. The JWT is returned as a Bearer Token within the Authorization header. You will learn more about this mechanism later in these tutorials. For now all you need to know is that once authorization is enabled in a service:

  • The client must contact an unprotected authorization endpoint, present credentials and receive a JWT.

  • To access protected endpoints within the service the client must present that JWT to the service during each request.

  • When receiving a JWT the service will verify the authenticity of the JWT, and ensure that it has not expired.

  • If the server does not receive a valid JWT for a request to a protected endpoint it will return an HTTP 401 (unauthorized) response.

These tutorials will help you to learn more about authentication in Harmony Core:

Clone this wiki locally