Versions Compared

Old Version 7

changes.mady.by.user Tom Desair

Saved on

compared with

New Version 8

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

parametervalue
user

email/id of user

passwordpassword of user

Example call with curl:

Code Block
# Login: test@dspace.com , Password: p4ssword
curl -v -X POST --data "user=

...

test%40dspace.com&password=p4ssword" "

...

https://{dspace

...

.server.url}/api/authn/login" -H "X-XSRF-TOKEN: {csrf-token}"

NOTE: a login request first requires obtaining a valid CSRF token from the REST API. See https://github.com/DSpace/RestContract/blob/main/csrf-tokens.md

This call will return a JWT (JSON Web Token) in the response in the Authorization header according to the bearer scheme. This token has to be used in subsequent calls to provide your authentication details. For example:

Code Block
curl -v "

...

https://{

...

dspace.server.url}/api/core/items" -H "Authorization: Bearer eyJhbG...COdbo"

See also https://github.com/DSpace/RestContract/blob/main/authentication.md

Login using the HAL-browser

...

For DSpace to detect the token it has to be send in the Authorization header with the Bearer schema, that is prepend the token with "Bearer" then leave a space and paste the token.

Keep in mind, all modifying requests (POST, PUT, PATCH, DELETE) also require sending a separate CSRF Token in the X-XSRF-TOKEN  header. See https://github.com/DSpace/RestContract/blob/main/csrf-tokens.md

Authentication Status

The authentication status can be checked by sending your received token to the status endpoint in the Authorization header:

Code Block
curl -v "

...

https://{

...

dspace.server.url}/api/authn/status" -H "Authorization: Bearer eyJhbG...COdbo"

This will return the authentication status, E.G.:

...

To logout and invalidate the token, send the token in the Authorization header with the bearer scheme to the following endpoint:

/api/authn/logout

E.G.

Code Block
# NOTE: Logout must be done via POST
curl -v -X POST "

...

https://{

...

dspace.server.url}/api/authn/logout" -H "Authorization: Bearer eyJhbG...COdbo" -H "X-XSRF-TOKEN: {csrf-token}"

This will log the user out on every device or browser.

See also https://github.com/DSpace/RestContract/blob/main/authentication.md

JSON Web Token

The authentication token is a JSON Web Token (JWT) and is base64url encoded. For more information about JWT see this page: https://jwt.io/introduction/

...

jwt.token.secretManually define a key that will be used (in combination with other strings) to sign the tokens. If this property is empty, a random key will be generated. Note that if you want to run DSpace in a cluster with multiple instances this has to be configured and every instance has to use the same key. It is also possible to pass this property with a value as an environment variable.
jwt.encryption.enabledBoolean property, defaults to false. If enabled the tokens will be encrypted and unreadable client-side. As a downside enabling this makes the tokens a bit larger which will make the size of requests a bit larger, another disadvantage is not being able to use the data that is inside the token. This means for example that the client cannot read the expiration claim and has to guess when it should refresh its token.
jwt.encryption.secretKey to use if encryption for JWT is enabled. If none is specified and encryption is enabled, DSpace will generate a random one. In a clustered setup, the encryption key should be the same on all instances.
jwt.token.expirationEnter the period in minutes that a token should be valid, by default this is 30jwt.token.include.ipBoolean property, if true then the JWT signing key will also use the IP address of the user. This will prevent the same token from being used from another IP address in case it gets stolen (similar to cookie theft). Defaults to true


Running DSpace in a clustered setup

...

  • a random generated salt per user + 
  • the server jwt.token.secret or a random one if empty +the IP address of the user if jwt.token.include.ip = true (default)

The session salt is saved in the EPerson table in the database and is used for:

...