Security and Authentication

Overview

There are 3 ways to provide authentication credentials to Polaris Application Services.

  • HTTP Basic Authentication and Access Tokens
  • ASP.NET Forms Authentication
  • Bearer Token via OAuth2
Polaris Application Services also support privilege overrides via HTTP proxy authentication.

HTTP Basic Authentication and Access Tokens

Accessing Polaris Application services requires the use of an access token and secret. An access token and secret may be issued by calling the staff authentication method.

POST /api/.../authentication/staffuser

The staff authentication method utilizes standard HTTP Basic Authentication via the HTTP Authorization header. When the user agent wants to send the server authentication credentials it may use the Authorization header.

The Authorization header is constructed as follows:

  • Username and password are combined into a string "username:password"
  • The resulting string literal is then encoded using Base64
  • The authorization method and a space i.e. "Basic " is then put before the encoded string.
  • Authorization: Basic TVlMSUJcQWxhZGRpbjpvcGVuc2VzYW1l

It is important to note that the Domain name must be included with the username. For example, if the user agent is a member of the MYLIB domain, has 'Aladdin' as the username and 'opensesame' as the password then the combined "username:password" would appear as:

  • MYLIB\Aladdin:opensesame

The header with Base64 encoding is formed as follows:

  • Authorization: Basic TVlMSUJcQWxhZGRpbjpvcGVuc2VzYW1l

The return object from the staff authentication method contains an an access token and access secret. This pair of strings will be used for all other Polaris Application Service calls. The authorization header will use the PAS scheme and does not need to be Base64 encoded. The site code, access token and secret are combined into a string "siteDomain:token:secret" and will appear as:

  • Authorization: PAS polaris:NXmeihFv2kq6meg3EdYoenv2VagJrPHs:odXCBZuhXBkbwSo4

ASP.NET Forms authentication

Description

ASP.NET Forms Authentication may be used with the Polaris.ApplicationServices Web API. An ASP.NET WebForm may be used to create a login page. This should validate the user and create a Forms Authentication cookie which contains a Forms Authentication ticket. The cookie should be named "LeapWebApp". The ticket's Name property represents the Polaris user's username.

Once the browser receives the forms authentication cookie, all proceeding calls to services on the same domain will automatically contain the cookie in the underlying HTTP request. This includes JavaScript XHR calls.

When Polaris.ApplicationServices receives a web request, it will examine the cookies contained within the header. If it finds a cookie with the name "LeapWebApp", it will attempt to decrypt the cookie to extract the ticket. If a valid ticket has been provided, the service will assign the ticket.name as the calling principal on the thread. This will represent the PolarisUser.

Setup

In order for encryption and decryption of the Forms Authentication Ticket to work properly between separate IIS Web Applications, the underlying machine keys must be in synch. Web.config's <machinekey> element must be the same for the .NET website hosting the login page and the .NET Web API service.

How To: Configure MachineKey in ASP.NET 2.0
Easiest way to generate MachineKey

Bearer Token via OAuth2

When configured, bearer tokens may be used with the Polaris.ApplicationServices Web API. OAuth must be enabled and configured to use OpenID Connect and PKCE (Proof Key Code Exchange).

The header will be similar to:

  • Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImhBbm82bTRLczZVVVJWQjY4Zi1MZno0S2Z...
Note: Token has been truncated.

The bearer token must include the "upn" (user principal name) claim. This name should be in the form of an email address and must exist as a staff user in the Polaris database.

Override Polaris Privileges

If a user is not authorized to perform a specific operation in Polaris, an HTTP 403 response code will be returned. Polaris allows for operator overrides. The override credentials will be passed in via the standard HTTP Proxy-Authorization header or the custom Polaris-Override-Authorization custom.

The credentials are combined in the following format and then Base 64 encoded.

  • [username]:[password]:[permissionid]:[permissionownerid]

Example:

  • user@mydomain.com:mypassword:83:1 is base64 encoded as dXNlckBteWRvbWFpbi5jb206bXlwYXNzd29yZDo4Mzox
Proxy-Authorization header
  • Proxy-Authorization: Basic cG9sYXJpc2V4ZWNAZG9tYWluOnBhc3N3b3JkOjgzOjEwMw==
Polaris-Override-Authorization custom header
  • Polaris-Override-Authorization: Basic cG9sYXJpc2V4ZWNAZG9tYWluOnBhc3N3b3JkOjgzOjEwMw==

The custom header supports multiple permission overrides for a single API call.

  • Polaris-Override-Authorization: Basic cG9sYXJpc2V4ZWNAZG9tYWluOnBhc3N3b3JkOjgzOjEwMw==
  • Polaris-Override-Authorization: Basic cG9sYXJpc2V4ZWNAZG9tYWluOnBhc3N3b3JkOjg0OjM=
  • Polaris-Override-Authorization: Basic dXNlcm5hbWVAZG9tYWluOnBhc3N3b3JkOjg1OjU=

They may also be added as a single header value by providing the overrides in a comma delimited list:

  • Polaris-Override-Authorization: Basic cG9sYXJpc2V4ZWNAZG9tYWluOnBhc3N3b3JkOjgzOjEwMw==, Basic cG9sYXJpc2V4ZWNAZG9tYWluOnBhc3N3b3JkOjg0OjM=, Basic dXNlcm5hbWVAZG9tYWluOnBhc3N3b3JkOjg1OjU=

Important! The Authorization header with the access token and secret are still required.

When OAuth 2 support is enabled, refer to System Administration Permissions for permission overrides.