OpenIDM does not allow access to the REST interface unless you
authenticate. If a project requires anonymous access, to allow users to
self-register for example, then allow access by user
anonymous, password anonymous, as
described in Section 13.1.1, “Internal Users”. In production, only
applications are expected to access the REST interface.
OpenIDM supports an improved authentication mechanism on the REST interface. Unlike basic authentication or form-based authentication, the OpenIDM authentication mechanism is compatible with the AJAX framework.
- OpenIDM authentication with standard header fields
$ curl --user userName:password
This authentication is compatible with standard basic authentication, except that it will not prompt for credentials if they are missing in the request.
- OpenIDM authentication with OpenIDM header fields
$ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin"
For more information about the OpenIDM authentication mechanism, see Use Message Level Security.
You can change the attributes that OpenIDM uses to store user login
and password values. The attribute names are shown in a database query
that is defined in
openidm/conf/repo..
repo-type.json
Two queries are defined by default.
credential-internaluser-query-
Uses the
_openidm_idattribute for login credential-query-
Uses the
userNameattribute for login
The openidm/conf/authentication.json file defines
the currently active query as the value of the queryId
property. In the following example, credential-query is
active.
{
"queryId" : "credential-query",
"queryOnResource" : "managed/user",
"defaultUserRoles" : [ ]
}You can explicitly define the properties that constitute passwords or
roles by setting the propertyMapping object in the
conf/authentication.json file. By default, the property
mapping is configured as follows:
...
"propertyMapping" : {
"userId" : "_id",
"userCredential" : "password",
"userRoles" : "roles"
},
...
