Support for authentication w/o username & password?

[james-chamberlain]

I have an application that uses a token based security scheme using jwt tokens. Is there a mechanism to provide an alternate credential implementation that passes a token instead of username and password?

[ujibang]

Hello @jocII

RESTHeart allows plugging of custom IDentity Managers. In summary, a custom IDM has to be implemented in java and setup in the configuration file.

Have a look at Custom Identity Manager in the documentation.

However the IDM assumes that the credentials are passed using the Basic Authentication scheme, i.e. via the Authentication request header; if you are fine with passing the jws token via this header, it should be easy implementing it (in case you can also rely on paid support).

You can find an implementation of an IDM in the code: DbIdentityManager.java.

[james-chamberlain]

I dug into the code a bit further and can see where the authentication mechanisms are created within the SecurityHandler. It doesn't look like it would be that difficult to refactor this to allow other undertow AuthenticationMechanisms to be used. Do you think this is something that your project would add support for? I would think that other users might find this as useful as being able to add their own identity and access managers.

[ujibang]

Hi @jocII

RESTHeart uses the undertow BasicAuthenticationMechanism. This makes the credentials being passed via the Authorization request header.

The actual authentication happens in the IDM that is already pluggable. As long as you can pass your token via this header, it shouldn't be a problem implementing a custom IDM that validates it.

Does this make sense for your use case?

[ujibang]

FYI we got a PR from @mohankv that addresses this need.