Redirect Notice
As of April 12th, you must go to Progress SupportLink to create new support cases or to access existing cases. Please, bookmark the SupportLink URL and use the new portal to contact the support team.
How can we help you today?
Login without password using master secret
7 CommentsSorted by Newest First
Hey Caroline - Any update on this?
With a little more thought on this topic, the token returned should not be new if one already exists. Otherwise it will logout users already logged in.
Another way of achieving this may be for Kinvey to return the existing (or a new authtoken if none already exists) when querying a specific user using the master key via `GET /user/:appKey/:id` ?
With a little more thought on this topic, the token returned should not be new if one already exists. Otherwise it will logout users already logged in.
Another way of achieving this may be for Kinvey to return the existing (or a new authtoken if none already exists) when querying a specific user using the master key via `GET /user/:appKey/:id` ?
Thanks Caroline. Hopefully this is something we could achieve via a /rpc or /user REST API request or possible via a Business Logic function - for example modules.backendContext.getAuthToken(username).
Hey Ryan, I will chat with Ivan about it and see if it's coming up in the roadmap and let you know.
An example would be:
POST /rpc/:appKey/generate-token HTTP/1.1
Host: baas.kinvey.com
Authorization: [Basic Auth with master credentials]
Content-Type: application/json
{
"username": "ivan"
}
returning:
HTTP/1.1 200 OK
X-Kinvey-Api-Version: 1
Content-Type: application/json
{
"username": "ivan",
"location": "Cambridge, MA, USA",
"locale": "en-US",
"_kmd":
{
"lmt":"2012-06-29T13:02:11.864Z",
"authtoken":"368c9f15-01b4-4a49-9b8d-989f4b2d30ed.Vai/mloxDgUUiSwiRkA9kDvoBu5NvlZaEkGXrREY8G9="
}
}
POST /rpc/:appKey/generate-token HTTP/1.1
Host: baas.kinvey.com
Authorization: [Basic Auth with master credentials]
Content-Type: application/json
{
"username": "ivan"
}
returning:
HTTP/1.1 200 OK
X-Kinvey-Api-Version: 1
Content-Type: application/json
{
"username": "ivan",
"location": "Cambridge, MA, USA",
"locale": "en-US",
"_kmd":
{
"lmt":"2012-06-29T13:02:11.864Z",
"authtoken":"368c9f15-01b4-4a49-9b8d-989f4b2d30ed.Vai/mloxDgUUiSwiRkA9kDvoBu5NvlZaEkGXrREY8G9="
}
}
Caroline - Any chance we can get visibility if this is on the roadmap too? This is the last item that's stopping us from building our app on this platform.
If not possible via REST API is there some way we could do this via a Custom Endpoint to generate a session token for a specific user?
If not possible via REST API is there some way we could do this via a Custom Endpoint to generate a session token for a specific user?
Hey Ivan,
Thanks for commenting! That's more for using the master secret - which has access to everything and shouldn't be client-facing.
I'm referring to generating an authtoken for a user without having to supply a password.
This way queries/ACL etc are enforced and the app behaves as if the user has logged in giving their username/password.
Ryan
Thanks for commenting! That's more for using the master secret - which has access to everything and shouldn't be client-facing.
I'm referring to generating an authtoken for a user without having to supply a password.
This way queries/ACL etc are enforced and the app behaves as if the user has logged in giving their username/password.
Ryan
For server-side logins you can just use basic auth using the master secret, and no authtoken is required. http://devcenter.kinvey.com/rest/guides/security#basicauthentication
Does that work?
Does that work?
ryanmills
Any chance we could "become" a user by calling a login request via REST API with the master secret - without having to a specify a password? The request would then return the normal authtoken for that user.
This would be valuable for custom server-side logins (third-party authentication) and also the ability to login as a user for support purposes.
Thanks,
Ryan