- Single Sign On - Snapper Grape is master
- Single Sign On - third party is master
- POST /api/login
- GET /api/validate
- GET /api/logout
- POST /api/forgot_password
- GET /api/validate_auth_token
Single Sign On - Snapper Grape is master
This SSO system assumes that Snapper Grape is master of all user data, and that the client needs to be logged directly in to Snapper Grape. This should only be necessary if you communicate with the API server-to-server, and the end user needs to access Snapper Grape directly at some point, eg. to start an e-course.
See sequence diagram below describing how the SSO system is intended to work.
Single Sign On - third party is master
The Snapper Grape API also supports SSO where a thrid party system is master of user credentials. However, this requires that all user data is present in Snapper Grape. There is no on-the-fly creation of users/persons.
Authentication is done through oAuth2, using simple web token (SWT).
Requests using this form of SSO needs to have a header named "Authorization", with value on the form "SWT
A typical SWT token looks like this:
"Issuer" and "ExpiresOn" are not required, but if given, they are checked. "Issuer" is checked against a configured parameter, while "ExpiresOn" is checked for expiry.
In order for Snapper Grape to know who is logged in, one of the following parameters must be present:
Alternatively, we can configure Snapper Grape to use corresponding parameter names:
If everything checks out, and a user is found in Snapper Grape, the user should be logged in.
Logs a user in to Snapper Grape.
String. User name for user trying to log in.
String. Password for user trying to log in.
Int. Must be set to 1 in order for the underlying security system to log the user in.
String. URL to redirect to after successful login. Redirect is not done in this call, but if we are using SSO, the value of forward_url is relayed.
Single Login object.
Validate if user has a valid session in Snapper Grape. For use in SSO with third-party system, where Snapper Grape is master. Note that this is not a normal JSON request, it actually redirects the client, in order to do make SSO happen.
String. User name of user in question.
String. Short-lived hash, delivered by the login call.
String. URL to forward to after successful negotiation.
Redirect or error object
Log out of Snapper Grape.
String. URL to forward to after successful logout. Simply relayed to the output.
Single Logout object.
Anyone, but only makes sense when logged in.
Resets a user's password
String. Identification of user to change password for. Can be user name, email or mobile.
Simple object containing two attributes: valid (boolean) and message (String)
Validates token and returns result. Unlike /api/validate, it does not redirect the client. This resource is meant for third parties (like LMS systems) that receive a token from Grape in the URL, and need to validate that this token is valid and belongs to a valid, logged in user.
Int. User's ID. This is the ID we use to connect third party LMS users to Grape users.
String. Token string to validate. A token is valid for 30 seconds from the time it is issued.
"errorcode": (only if not valid)