Versions Compared

Version Old Version 8 New Version 9
Changes made by

Qiongkai Ye

MS (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Div
classtocc

Contents

Table of Contents

...

Abiquo has chosen to implement OAuth 1 because it is more secure and interoperable than OAuth 2. See http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

...

To avoid exposing user credentials, Abiquo provides a token based authentication. For each authenticated request, Abiquo generates an authentication token that can be used to make requests to the API without the need of passing the credentials. Each HTTP response contains a header with an expirable token that can be used to perform requests to the API. In order to use the otken based token based authentication, the client must send it in the "Authorization" header, as follows:

...

Response Headers: Content-Length, Content-Type, Date, X-Abiquo-Token.
Response Message Body: N/A.
Response Status: 200, 401, 403.
Example Response: Response of the authenticated GET over a Datacenters resource

...

  1. Get the information of the current user:

    Div
    classtinycode


    Code Block
    titleGET User Info
    % curl -v -u admin:xabiquo http://example.com/api/login -H "Accept:application/vnd.abiquo.user+xml"

> GET /api/login HTTP/1.1
> Authorization: Basic YWRtaW46eGFiaXF1bw==
> User-Agent: curl/7.38.0
> Host: example.com
> Accept:application/vnd.abiquo.user+xml

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: auth=YWRtaW46MTQ0MzcxMDM3NDgxMzphZjdjNTY1ZjJhNDgzNTc4Y2EyZGEzNTJiNTcwNmE3ZDpBQklRVU8; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
< Set-Cookie: ABQSESSIONID=1691863788974462744; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
< Content-Type: application/vnd.abiquo.user+xml
< Content-Length: 1422
< Date: Thu, 01 Oct 2015 14:09:35 GMT

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user>
 <link title="Abiquo" rel="enterprise" type="application/vnd.abiquo.enterprise+xml" href="http://example.com:80/api/admin/enterprises/1"/>
 <link title="CLOUD_ADMIN" rel="role" type="application/vnd.abiquo.role+xml" href="http://example.com:80/api/admin/roles/1"/>
 <link title="admin" rel="edit" type="application/vnd.abiquo.user+xml" href="http://example.com:80/api/admin/enterprises/1/users/1"/>
 <link title="virtual machines" rel="virtualmachines" type="application/vnd.abiquo.virtualmachines+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/virtualmachines"/>
 <link title="pending tasks" rel="pendingtasks" type="application/vnd.abiquo.tasks+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/pendingtasks"/>
 <link title="applications" rel="applications" type="application/vnd.abiquo.applications+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/applications"/>
 <link title="enable two factor authentication" rel="enable2fa" type="application/vnd.abiquo.twofactorauthcredentials+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/enable2fa"/>
 <id>1</id>
 <nick>admin</nick>
 <name>Cloud</name>
 <surname>Administrator</surname>
 <description>Main administrator</description>
 <email></email>
 <locale>en_US</locale>
 <authType>ABIQUO</authType>
 <active>true</active>
 <firstLogin>false</firstLogin>
 <locked>false</locked>
</user>



  2. The user info contains a link enable two factor authentication. To enable two factor authentication, send a POST request indicating the type of two-factor authentication to enable.

    Div
    classtinycode


    Code Block
    titleEnable two factor authentication
    % curl -v -u admin:xabiquo -X POST http://localhost:80/api/admin/enterprises/1/users/1/action/enable2fa \
    -H "Accept: application/vnd.abiquo.twofactorauthcredentials+json" \
    -H "Content-type: application/vnd.abiquo.twofactorauthprovider+json" \
    -d '{"type": "GOOGLE_AUTHENTICATOR"}'

> POST /api/admin/enterprises/1/users/1/action/enable2fa HTTP/1.1
> Authorization: Basic YWRtaW46eGFiaXF1bw==
> User-Agent: curl/7.38.0
> Host: localhost
> Accept: application/vnd.abiquo.twofactorauthcredentials+json
> Content-type: application/vnd.abiquo.twofactorauthprovider+json
> Content-Length: 32

< HTTP/1.1 201 Created
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< Set-Cookie: auth=YWRtaW46MTQ0MzcxMTM2NTcyNzpjOWJmYzczMmRlOGU3ODBmMzFiN2JkYmZhN2RiMTYzMDpBQklRVU8; Expires=Thu, 01-Oct-2015 14:56:05 GMT; Path=/; HttpOnly
< Set-Cookie: ABQSESSIONID=3703152771382913736; Expires=Thu, 01-Oct-2015 14:56:05 GMT; Path=/; HttpOnly
< Content-Type: application/vnd.abiquo.twofactorauthcredentials+json
< Transfer-Encoding: chunked
< Date: Thu, 01 Oct 2015 14:26:05 GMT

{
   "authenticatorURL" : "otpauth://totp/Abiquo:admin?secret=UXEHFMAX7RXAJHYE&issuer=Abiquo",
   "links" : [],
   "provider" : "GOOGLE_AUTHENTICATOR",
   "scratchCodes" : [
      "88309169",
      "40838958",
      "93393020",
      "91684230",
      "17576595"
   ]
}


    The value of the type field can be one of the following: EMAIL, GOOGLE_AUTHENTICATOR.
    The response comes with all the two-factor authentication details:

    • The list of "scratch codes" that can be used for recovery in case the verification code is lost, or there is an issue with the Google Authenticator mobile app.

    • The "authenticationURL" that can be used to enable Abiquo in the Google Authenticator mobile app: it can be used to generate a QR code that can be directly scanned using the app, or the URL can be manually typed in it.

Interaction with the API with two factor authentication enabled

...