Skip to content

Authentication

All calls to the Management API should be authenticated. Any call with missing or incorrect authentication will result in a 401 error.

Authentication headers

The authentication method for this API is the HTTP Bearer method. The HTTP call should contain an Authorization header, with a Bearer JWT token. This token should be issued by the JWT issuer specified in the environment variables.

Implementation

The authentication is verified using passportjs through the passport-jwt strategy. The call to the authentication provider's well-known URL specified in the environment variables is done through the helper library jwks-rsa.

Once the token validation has succeded, the final step is to make sure that we know who the user represents in the platform. Therefore, we retrieve the identity provider ID token from the verified JWT token and find the user in our Management API database which corresponds to this identity provider token.

If we cannot find the corresponding user, we cannot identify this user in the platform and reject the call with a 401 error.

If the user is found, we inject the found User object into the request for further processing. We will then carry on to the next step, which is authorization.