1) Obtaining an SSO token from Apache Syncope
As stated above, in the past it was necessary to supply HTTP Basic Authentication credentials when invoking on the REST API. Let's look at an example using curl. Assume we have a running Apache Syncope instance with a user "alice" with password "ecila". We can make a GET request to the user self service via:
- curl -u alice:ecila http://localhost:8080/syncope/rest/users/self
- curl -I -u alice:ecila -X POST http://localhost:8080/syncope/rest/accessTokens/login
- X-Syncope-Token: A JWT token signed according to the JSON Web Signature (JWS) spec.
- X-Syncope-Token-Expire: The expiry date of the token
The signing key and the issuer name can be changed by editing 'security.properties' and specifying new values for 'jwsKey' and 'jwtIssuer'. Please note that it is critical to change the signing key from the default value! It is also possible to change the signature algorithm from the next 2.0.4 release via a custom 'securityContext.xml' (see here). The default lifetime of the token (120 minutes) can be changed via the "jwt.lifetime.minutes" configuration property for the domain.
2) Using the SSO token to invoke on a REST service
Now that we have an SSO token, we can use it to invoke on a REST service instead of specifying our username and password as before. For Syncope 2.0.3 only, the header name is the same as the header name above "X-Syncope-Token". From Syncope 2.0.4 onwards, the header name is "Authorization: Bearer <token>", e.g.:
- curl -H "Authorization: Bearer eyJ0e..." http://localhost:8080/syncope/rest/users/self
Finally, SSO tokens can be seen in the admin console under "Dashboard/Access Token", where they can be manually revoked by the admin user: