Authentication

• about
• configuration

• 

  Authentication

  Manage user authentication

• 

  Core Module

  Configure LMF Core

• 

  Filesystem Importer

• 

  Geolocating Services

  Add geolocations

• 

  LD Path Querying

• 

  LMF Versioning

• 

  Linked Data Caching

  Endpoints and Caches

• 

  Reasoner

  sKWRL Programs

• 

  SN Integration

  Salzburger Nachrichten Suche

• 

  SPARQL Module

  Queries and Updates

• 

  Search Index

  All about search

• 

  Social Module

  Social widgets and services

• 

  UseCase ORF

• 

  Video Module

  Manage media stuff

Introduction

The Linked Media Framework offers HTTP Basic Authentication by default. Whenever a user wants to log into LMF, an authentication header must be send to the server. Additionally to HTTP Basic, LMF supports a more convenient authentication and authorization mechanism: OAuth2.0. With OAuth2.0, user browsers and other clients, e.g. thrid party servers, may request authorization to access the LMF resources.

OAuth2.0 is a convenient and often-used authorization mechnism for social media sites, e.g. Facebook and YouTube. It comes in two different flavors: client-site authentication and server-site authentication. The main idea is to provide a client (e.g. browser) or a server (e.g. another LMF server) with an access token that identifies a particular user in a session. It enables clients or servers to request user data, when the user allows this. LMF uses OAuth2.0 as a consumer and as a producer.

LMF uses OAuth2.0 authorization as a consumer and as a producer. This means that, on the one hand, login requests are responded with OAuth2.0 tokens if they were successful. The token is then used to enable session management on the server-side. As a consumer, LMF uses OAuth2.0 to enable authentication and authorization of a user via other Social Media sites, e.g. Facebook or YouTube. The collection of OAuth2.0 servie providers can easily be extended by creating a client-id and a client-secret at the service provider for the LMF server. In the following, we will see how the authentication flows work.

First things first: If you do not want to use another service provider to authenticate, register a user on LMF:

        curl -X POST -d username=MaxPowers&password=pass http://localhost/KiWi2/auth/register/
    

Afterwards you can easily login by sending:

        curl -X POST -d username=MaxPowers&password=pass&grant_type=password&client_id=1 http://localhost/KiWi2/auth/login
    

The client_id can be an arbitrary number, as it is currently not validated on the server side. Future releases will require to register a client before authentication via the client is possible

When the authentication was successful, the client receives an access token, a refresh token and the expiration time in JSON format:

        {"expires_in":"3600","refresh_token":"6d414943ef3124661a2e9f63cc153b","access_token":"679638d3c4fc80c59c20a1dd6f81efda"}
    

Furthermore, a cookie containing the access token is created. It will expire according to the token expiration time. To destry the session earlier, it is of course also possible to logout:

        curl http://localhost/KiWi2/auth/logout
    

To log into LMF via a 3rd party OAuth2.0 service provider, call

        curl http://localhost/KiWi2/auth/oauth2/{server}
    

LMF currently supports google and facebook as 3rd party OAuth2.0 service providers. If you want to redirect to another website after you logged in, e.g. if you call the webservice from another server, provide the redirect_uri as a HTTP GET parameter:

        curl http://localhost/KiWi2/auth/oauth2/{server}?redirect_uri={redirect_uri}
    

Client ids and secrets to enable LMF to authenticate via the service providers must be configured including the redirect_uri.

powered by SNML-TNG