Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

Table of Contents

Author: Ignasi Barrera

Authentication methods

The Abiquo API implements the following authentication to prevent unauthorized access to API resources:

OAuth v1.0 Version A

...

authentication

You can use OAuth to authenticate against the Abiquo API. With OAuth, users can create their own applications and connect them to the Abiquo API in a controlled and standard way.

Users can register their own applications using

The Abiquo API implements the OAuth 1.0 protocol, so any application that implements it can be used to consume the Abiquo API. The basic authentication workflow for an already registered application, as defined by the protocol, consists of the following steps:

  1. The client application requests an

...

  1.  Unauthenticated Request Token.

  2. The user authorizes the Request Token.

  3. The client application exchanges the Request Token for an Access Token.

When the Access Token has been granted, the client application can use it to sign the requests and authenticate against the Abiquo API.

The following table shows the OAuth specific endpoints that you must be used use when implementing the OAuth workflow.

Operation

Endpoint

Request unauthenticated token

/oauth/request_token

Authorize request token

/oauth/authorize?oauth_token=<request token>

Get access token

/oauth/access_token

The following table describes the query parameters that are used in the OAuth authentication workflow:

Query parameter

Description

oauth_token

Required when authorizing a request token.

oauth_callback

A callback URL where clients will be redirected after successful authentication

oauth_verifier

Verifier value used when authorizing a Request Token

Why OAuth 1?

Abiquo

...

chose to implement OAuth 1 because

...

, at the time of implementation, it was considered more secure and interoperable than OAuth 2

...

.

...

OAuth example applications

For an example of an Abiquo authentication flow, please see the following Python and Ruby simple applications: https://gist.github.com/nacx/8581621

...

When you use OpenID Connect, Abiquo disables basic authentication, but you can still use OAuth or a session token to access the API as before. Or you can obtain OpenID Connect tokens by doing these steps:

  1. Manually log in to the platform

  2. When you are redirected back to the Abiquo console, obtain the access token and refresh token from the browser.

Once you have the tokentokens, you can issue requests to the API by providing the following HTTP header:

 

Code Block
Authorization: Bearer <the access token><ACCESS_TOKEN>

And you can use the Refresh token as necessary.

See Abiquo OpenID Connect Integrationintegration

SAML

When you use SAML 2.0 you can disable basic authentication, but you can still use OAuth or a session token to access the API as before. See SAML Integrationintegration.

Basic HTTP

...

authentication

Authentication Abiquo supports authentication following the Basic HTTP Authentication standard. The client must provide its credentials in base64 format, sending them in a request header in the form:

Authentication Header format
Code Block
title
Authorization: Basic base64(<user><USER>:<password><PASSWORD>)

For example, for (a with the credentials user:user):

Code Block
titleAuthentication Header format
AuthorizationAuthorization: Basic dXNlcjp1c2Vy

The authentication workflow should be as follows:

  1. The client requests a resource, without providing any credentials.

  2. An HTTP response code of 401 (Unauthorized) is returned.

  3. The client requests the resource providing the credentials.

    1. If authentication fails, the server returns an HTTP response code of 401 (Unauthorized), indicating a Bad Credentials or a User is disabled error.

    2. If authentication succeeds, but the user does not have enough privileges to access the requested resource, the server returns an HTTP response code of 403 (Forbidden) indicating a Denied Access error

...

    1. .

    2. If authentication is successful, the server returns an HTTP

...

    1. response code of 200 (OK), the requested resource, and an authentication token that the client can use to authenticate future requests.

  1. The client requests another resource,

...

  1. supplying the authentication token

...

Basic authentication workflow example

Request a resource without providing credentials

  • Request

...

  • headers: Accept, Content-Type.
    Request

...

  • parameters: N/A.
    Request

...

  • message body: N/A.
    Request example: Retrieve all the datacenters

  • GET datacenters request

    Code Block

...

  • % curl --verbose 'http://example.com/api/admin/datacenters/' \
            -X GET \
            -H "Accept:application/vnd.abiquo.datacenters+xml"
    
    > GET /api/admin/datacenters HTTP/1.1
    > User-Agent: curl/7.19.5 (x86_64-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
    > Host: exmaple.com
    > Accept: application/vnd.abiquo.datacenters+xml

...

  • Response

...

  • headers: Content-Length, Content-Type, WWW-Authenticate, Date.
    Response

...

  • message body: N/A.
    Response

...

  • status: 200, 401, 403.
    Example

...

  • response: Response of the unauthenticated GET over a Datacenters resource

  • GET datacenters response

    Code Block

...

  • < HTTP/1.1 401 Unauthorized
    < Server: Apache-Coyote/1.1
    < WWW-Authenticate: Basic realm="Abiquo"
    < Content-Type: text/html;charset=utf-8
    < Content-Length: 1152
    < Date: Fri, 02 Jul 2010 09:40:14 GMT

...

Request a resource providing valid credentials

  • Request

...

  • headers: Accept, Content-Type, Authentication.
    Request

...

  • parameters: N/A.
    Request

...

  • message body: N/A.
    Request example: Retrieve all the datacenters

  • GET datacenters request

    Code Block

...

titleGET Datacenters Request
  • % curl --verbose 'http://example.com/api/admin/datacenters/' \
            -X GET \
            -H "Accept:application/vnd.abiquo.datacenters+xml" \
            -H "Authorization: Basic ZXhhbXBsZTpleGFtcGxl"
    
    > GET /api/admin/datacenters HTTP/1.1
    > User-Agent: curl/7.19.5 (x86_64-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
    > Host: example.com
    > Authorization: Basic ZXhhbXBsZTpleGFtcGxl
    > Accept: application/vnd.abiquo.datacenters+xml

...

  • Response

...

  • headers: Content-Length, Content-Type, Date, X-Abiquo-Token.
    Response

...

  • message body: N/A.
    Response

...

  • status: 200, 401, 403.
    Example

...

  • response: Response of the authenticated GET over a Datacenters resource

  • GET datacenters response

    Code Block

...

  • < HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    < X-Abiquo-Token: 1169dbbca2c1123455ab6b5a06b2b38756fb
    < Content-Type: application/vnd.abiquo.datacenters+xml
    < Content-Length: 420
    < Date: Fri, 02 Jul 2010 09:50:52 GMT
    <
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <datacenters>
        <datacenter>
            <link href="http://example.com/api/admin/datacenters/1" rel="edit"/>
            <link href="http://example.com/api/admin/datacenters/1/racks" rel="racks"/>
            <link href="http://example.com/api/admin/datacenters/1/remoteServices" rel="remoteServices"/>
            <id>1</id>
            <location>Redwood city</location>
            <name>myDatacenter</name>
        </datacenter>
    </datacenters>

...

After a successful request, the response will contain the X-Abiquo-Token Token header with an authentication token that can be used in subsequent requests, as described in the Token Based Authentication section.

Request a resource providing valid credentials but with insufficient privileges

  • Request

...

  • headers: Accept, Content-Type, Authentication.
    Request

...

  • parameters: N/A.
    Request

...

  • message body: N/A.
    Request example: Retrieve all the datacenters

  • GET datacenters request

    Code Block

...

  • % curl --verbose 'http://example.com/api/admin/datacenters/' \
            -X GET \
            -H "Accept: application/vnd.abiquo.datacenters+xml" \
            -H "Authorization: Basic ZXhhbXBsZTpleGFtcGxl"
    
    > GET /api/admin/datacenters HTTP/1.1
    > User-Agent: curl/7.19.5 (x86_64-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
    > Host: example.com
    > Authorization: Basic ZXhhbXBsZTpleGFtcGxl
    > Accept: application/vnd.abiquo.datacenters+xml

...

  • Response

...

  • headers: Content-Length, Content-Type, Date.
    Response

...

  • message body: N/A.
    Response

...

  • status: 200, 401, 403.
    Example

...

  • response: Response of the authenticated GET over a Datacenters resource, but without enough privileges

  • GET datacenters response

    Code Block

...

  • < HTTP/1.1 403 Forbidden
    < Server: Apache-Coyote/1.1
    < Content-Type: text/html;charset=utf-8
    < Content-Length: 1021
    < Date: Fri, 02 Jul 2010 09:59:42 GMT

...

Token-based authentication

To avoid exposing user credentials, Abiquo provides a token-based authentication. For each authenticated request, Abiquo generates an authentication token that can be used to make requests to the API without the need of passing to pass the credentials. Each HTTP response contains a header with an expirable token that you can be used use to perform requests to the API. In order to use the token based token-based authentication, the client must send it in the "Authorization" header, as follows:

...

...

Authentication

...

header format for token-based authentication

Code Block
Authorization: Token authentication-token
<AUTHENTICATION_TOKEN>

After a successful request, the response will contain the X-Abiquo-Token Token header with a new token that can be used in subsequent requests.

Request a resource without providing credentials

  • Request

...

  • headers: Accept, Content-Type.
    Request

...

  • parameters: N/A.
    Request

...

  • message body: N/A.
    Request example: Retrieve all

...

  • datacenters

  • GET datacenters request

    Code Block

...

  • % curl --verbose 'http://example.com/api/admin/datacenters/' \
            -X GET \
            -H "Accept:application/vnd.abiquo.datacenters+xml"
    
    > GET /api/admin/datacenters HTTP/1.1
    > User-Agent: curl/7.19.5 (x86_64-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
    > Host: exmaple.com
    > Accept: application/vnd.abiquo.datacenters+xml

...

  • Response

...

  • headers: Content-Length, Content-Type, WWW-Authenticate, Date.
    Response

...

  • message body: N/A.
    Response

...

  • status: 200, 401, 403.
    Example

...

  • response: Response of the unauthenticated GET

...

  • request to the Datacenters resource

  • GET datacenters response

    Code Block

...

  • < HTTP/1.1 401 Unauthorized
    < Server: Apache-Coyote/1.1
    < WWW-Authenticate: Token realm="Abiquo"
    < Content-Type: text/html;charset=utf-8
    < Content-Length: 1152
    < Date: Fri, 02 Jul 2010 09:40:14 GMT

...

Request a resource providing valid credentials

  • Request

...

  • headers: Accept, Content-Type, Authentication.
    Request

...

  • parameters: N/A.
    Request

...

  • message body: N/A.
    Request example: Retrieve all the datacenters

...

...

  • GET datacenters request

    Code Block
    % curl --verbose 'http://example.com/api/admin/datacenters/' \
            -X GET \
            -H "Accept:application/vnd.abiquo.datacenters+xml" \
            -H "Authorization: Token 1169dbbca2c1da4da5ab6b5a06b2b38756fb"
    
    > GET /api/admin/datacenters HTTP/1.1
    > User-Agent: curl/7.19.5 (x86_64-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
    > Host: example.com
    > Authorization: Token 1169dbbca2c1da4da5ab6b5a06b2b38756fb
    > Accept: application/vnd.abiquo.datacenters+xml

...

  • Response

...

  • headers: Content-Length, Content-Type, Date, X-Abiquo-Token.
    Response

...

  • message body: N/A.
    Response

...

  • status: 200, 401, 403.
    Example

...

  • response: Response of the authenticated GET over a Datacenters resource

...

  • GET datacenters response

    Code Block
    < HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    < X-Abiquo-Token: 1169dbbca2c1123455ab6b5a06b2b38756fb
    < Content-Type: application/vnd.abiquo.datacenters+xml
    < Content-Length: 420
    < Date: Fri, 02 Jul 2010 09:50:52 GMT
    <
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <datacenters>
        <datacenter>
            <link href="http://example.com/api/admin/datacenters/1" rel="edit"/>
            <link href="http://example.com/api/admin/datacenters/1/racks" rel="racks"/>
            <link href="http://example.com/api/admin/datacenters/1/remoteServices" rel="remoteServices"/>
            <id>1</id>
            <location>Redwood city</location>
            <name>myDatacenter</name>
        </datacenter>
    </datacenters>

...

Two factor authentication

With Basic Authentication, Abiquo can protect user accounts with a two-factor authentication code. When you enable two-factor authentication is enabled, users will be required to must provide an additional verification code to prove their identity. That token will be delivered Abiquo will deliver that code to the user by Abiquo, using through the configured mechanismsystem. Currently, there are two supported ways of getting the verification ways that Abiquo can deliver the code:

Email

The verification code will be sent to the user's by e-mail every time

a

for each login

is requested

Google Authenticator

The Google Authenticator mobile app

is used to

will generate the verification code for each login

Note

Two factor authentication is an addition to Basic Auth. Applications using OAuth

...

do not need to provide the two factor verification code

...

Enable two factor authentication

Users with access to the User icon menu can enable two factor authentication from the corresponding menu option. See Configure your user account

The following step-by-step example shows how to enable two factor authenticaton authentication for a user via the API:

  1. Get the information of the current user:

    GET user info

    Code Block

...

titleGET User Info
  1. % curl -v -u admin:xabiquo http://example.com/api/login -H "Accept:application/vnd.abiquo.user+xml"
    
    > GET /api/login HTTP/1.1
    > Authorization: Basic YWRtaW46eGFiaXF1bw==
    > User-Agent: curl/7.38.0
    > Host: example.com
    > Accept:application/vnd.abiquo.user+xml
    
    < HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    < Set-Cookie: auth=YWRtaW46MTQ0MzcxMDM3NDgxMzphZjdjNTY1ZjJhNDgzNTc4Y2EyZGEzNTJiNTcwNmE3ZDpBQklRVU8; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
    < Set-Cookie: ABQSESSIONID=1691863788974462744; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
    < Content-Type: application/vnd.abiquo.user+xml
    < Content-Length: 1422
    < Date: Thu, 01 Oct 2015 14:09:35 GMT
    
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <user>
     <link title="Abiquo" rel="enterprise" type="application/vnd.abiquo.enterprise+xml" href="http://example.com:80/api/admin/enterprises/1"/>
     <link title="CLOUD_ADMIN" rel="role" type="application/vnd.abiquo.role+xml" href="http://example.com:80/api/admin/roles/1"/>
     <link title="admin" rel="edit" type="application/vnd.abiquo.user+xml" href="http://example.com:80/api/admin/enterprises/1/users/1"/>
     <link title="virtual machines" rel="virtualmachines" type="application/vnd.abiquo.virtualmachines+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/virtualmachines"/>
     <link title="pending tasks" rel="pendingtasks" type="application/vnd.abiquo.tasks+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/pendingtasks"/>
     <link title="applications" rel="applications" type="application/vnd.abiquo.applications+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/applications"/>
     <link title="enable two factor authentication" rel="enable2fa" type="application/vnd.abiquo.twofactorauthcredentials+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/enable2fa"/>
     <id>1</id>
     <nick>admin</nick>
     <name>Cloud</name>
     <surname>Administrator</surname>
     <description>Main administrator</description>
     <email></email>
     <locale>en_US</locale>
     <authType>ABIQUO</authType>
     <active>true</active>
     <firstLogin>false</firstLogin>
     <locked>false</locked>
    </user>

...

  1. The user info contains a

...

  1. link toenable two factor authentication. To enable two factor authentication, send a POST request indicating the type of two-factor authentication to enable.

...


  1. Enable two factor authentication

    Code Block
    % curl -v -u admin:xabiquo -X POST http://localhost:80/api/admin/enterprises/1/users/1/action/enable2fa \
        -H "Accept: application/vnd.abiquo.twofactorauthcredentials+json" \
        -H "Content-type: application/vnd.abiquo.twofactorauthprovider+json" \
        -d '{"type": "GOOGLE_AUTHENTICATOR"}'
    
    > POST /api/admin/enterprises/1/users/1/action/enable2fa HTTP/1.1
    > Authorization: Basic YWRtaW46eGFiaXF1bw==
    > User-Agent: curl/7.38.0
    > Host: localhost
    > Accept: application/vnd.abiquo.twofactorauthcredentials+json
    > Content-type: application/vnd.abiquo.twofactorauthprovider+json
    > Content-Length: 32
    
    < HTTP/1.1 201 Created
    * Server Apache-Coyote/1.1 is not blacklisted
    < Server: Apache-Coyote/1.1
    < Set-Cookie: auth=YWRtaW46MTQ0MzcxMTM2NTcyNzpjOWJmYzczMmRlOGU3ODBmMzFiN2JkYmZhN2RiMTYzMDpBQklRVU8; Expires=Thu, 01-Oct-2015 14:56:05 GMT; Path=/; HttpOnly
    < Set-Cookie: ABQSESSIONID=3703152771382913736; Expires=Thu, 01-Oct-2015 14:56:05 GMT; Path=/; HttpOnly
    < Content-Type: application/vnd.abiquo.twofactorauthcredentials+json
    < Transfer-Encoding: chunked
    < Date: Thu, 01 Oct 2015 14:26:05 GMT
    
    {
       "authenticatorURL" : "otpauth://totp/Abiquo:admin?secret=UXEHFMAX7RXAJHYE&issuer=Abiquo",
       "links" : [],
       "provider" : "GOOGLE_AUTHENTICATOR",
       "scratchCodes" : [
          "88309169",
          "40838958",
          "93393020",
          "91684230",
          "17576595"
       ]
    }


    The value of the type

...

  1.  attribute can be one of the following: EMAIL, GOOGLE_AUTHENTICATOR.
    The response

...

  1. contains all the two-factor authentication details:

    1. The list of

...

    1. scratch codes

...

    1. that can be used for recovery in case the verification code is lost, or there is an issue with the Google Authenticator mobile app.

    2. The

...

    1. authenticationURL

...

    1. that can be used to enable Abiquo in the Google Authenticator mobile app

...

    1. . You can use it to generate a QR code that can be directly scanned using the app, or

...

    1. a URL that can be manually typed in it.

Interaction with the API with two factor authentication enabled

When two factor authentication is enabled, normal requests using Basic Authentication will fail and the two factor verification code will be requested:

...

...

  • GET user info without the verification code

    Code Block
    % curl -v -u admin:xabiquo http://example.com/api/login -H "Accept:application/vnd.abiquo.user+xml"
    
    > GET /api/login HTTP/1.1
    > Authorization: Basic YWRtaW46eGFiaXF1bw==
    > User-Agent: curl/7.38.0
    > Host: example.com
    > Accept:application/vnd.abiquo.user+xml
    
    
    < HTTP/1.1 401 Unauthorized
    < Server: Apache-Coyote/1.1
    < Set-Cookie: auth=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/api
    < WWW-Authenticate: Basic realm="Abiquo"
    < X-Abiquo-OTP: required; type=GOOGLE_AUTHENTICATOR

Note the header: X-Abiquo-OTP: required;

That This header indicates that the verification code is missing, and the type parameter indicates how the user can get it. The possible values are:

EMAIL

The user will receive an email with the verification code.

GOOGLE_AUTHENTICATOR

The user should use the Google Authenticator mobile app to generate the verification code.

none

The user has not enabled two factor authentication but the enterprise requires it to access Abiquo.

User

The user must enable 2FA using the method described above.

Once When the user has the verification code, they can provide it can be provided in the X-Abiquo-OTP header, as follows:

...

  • GET

...

  • user info with the verification code

    Code Block
    % curl -v -u admin:xabiquo http://example.com/api/login \
        -H "Accept:application/vnd.abiquo.user+xml" \
        -H "X-Abiquo-OTP: 670870"
    
    > GET /api/login HTTP/1.1
    > Authorization: Basic YWRtaW46eGFiaXF1bw==
    > User-Agent: curl/7.38.0
    > Host: example.com
    > Accept:application/vnd.abiquo.user+xml
    > X-Abiquo-OTP: 637614
    
    < HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    < Set-Cookie: auth=YWRtaW46MTQ0MzcxMDM3NDgxMzphZjdjNTY1ZjJhNDgzNTc4Y2EyZGEzNTJiNTcwNmE3ZDpBQklRVU8; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
    < Set-Cookie: ABQSESSIONID=1691863788974462744; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
    < Content-Type: application/vnd.abiquo.user+xml
    < Content-Length: 1422
    
    
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <user>
     <link title="Abiquo" rel="enterprise" type="application/vnd.abiquo.enterprise+xml" href="http://example.com:80/api/admin/enterprises/1"/>
     <link title="CLOUD_ADMIN" rel="role" type="application/vnd.abiquo.role+xml" href="http://example.com:80/api/admin/roles/1"/>
     <link title="admin" rel="edit" type="application/vnd.abiquo.user+xml" href="http://example.com:80/api/admin/enterprises/1/users/1"/>
     <link title="virtual machines" rel="virtualmachines" type="application/vnd.abiquo.virtualmachines+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/virtualmachines"/>
     <link title="pending tasks" rel="pendingtasks" type="application/vnd.abiquo.tasks+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/pendingtasks"/>
     <link title="applications" rel="applications" type="application/vnd.abiquo.applications+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/applications"/>
     <link title="enable two factor authentication" rel="enable2fa" type="application/vnd.abiquo.twofactorauthcredentials+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/enable2fa"/>
     <id>1</id>
     <nick>admin</nick>
     <name>Cloud</name>
     <surname>Administrator</surname>
     <description>Main administrator</description>
     <email></email>
     <locale>en_US</locale>
     <authType>ABIQUO</authType>
     <active>true</active>
     <firstLogin>false</firstLogin>
     <locked>false</locked>
    </user>

...

Disable two factor authentication

Two factor authentication can be disabled at any time. As in the enable process, the user information will contain a link that points to the location where two factor authentication can be disabled. Users just have to perform a POST request there to disable it:

...

...

  • Disable two factor authentication

    Code Block
    % curl -v -u admin:xabiquo http://localhost:80/api/admin/enterprises/1/users/1/action/disable2fa \
        -x POST
        -H "X-Abiquo-OTP: 670870"
    
    > POST /api/admin/enterprises/1/users/1/action/disable2fa HTTP/1.1
    > Authorization: Basic YWRtaW46eGFiaXF1bw==
    > User-Agent: curl/7.38.0
    > Host: localhost
    > Accept: */*
    > X-Abiquo-OTP: 670870
    
    < HTTP/1.1 204 No Content
    < Server: Apache-Coyote/1.1
    < Set-Cookie: auth=YWRtaW46MTQ0MzcxMjI0MzM2Mzo5OTkxYTRlMGJmMzBlYjcwZmVjNjYwNDQyYmFkZTlkMjpBQklRVU8; Expires=Thu, 01-Oct-2015 15:10:43 GMT; Path=/; HttpOnly
    < Set-Cookie: ABQSESSIONID=2563697997063896162; Expires=Thu, 01-Oct-2015 15:10:43 GMT; Path=/; HttpOnly