Skip to content

AuthenticationApi

Jump to bottom
Github Action edited this page Dec 23, 2021 · 8 revisions

AuthenticationApi

All URIs are relative to http://localhost

Method HTTP request Description
changePassword PUT /authn/{account}/password Changes a user’s password.
enableAuthenticator PATCH /{authenticator}/{account} Enables or disables authenticator defined without service_id.
enableAuthenticatorInstance PATCH /{authenticator}/{service_id}/{account} Enables or disables authenticator service instances.
getAPIKey GET /authn/{account}/login Gets the API key of a user given the username and password via HTTP Basic Authentication.
getAPIKeyViaLDAP GET /authn-ldap/{service_id}/{account}/login Gets the Conjur API key of a user given the LDAP username and password via HTTP Basic Authentication.
getAccessToken POST /authn/{account}/{login}/authenticate Gets a short-lived access token, which is required in the header of most subsequent API requests.
getAccessTokenViaAWS POST /authn-iam/{service_id}/{account}/{login}/authenticate Get a short-lived access token for applications running in AWS.
getAccessTokenViaAzure POST /authn-azure/{service_id}/{account}/{login}/authenticate Gets a short-lived access token for applications running in Azure.
getAccessTokenViaGCP POST /authn-gcp/{account}/authenticate Gets a short-lived access token for applications running in Google Cloud Platform.
getAccessTokenViaJWT POST /authn-jwt/{service_id}/{account}/authenticate Gets a short-lived access token for applications using JSON Web Token (JWT) to access the Conjur API.
getAccessTokenViaJWTWithId POST /authn-jwt/{service_id}/{account}/{id}/authenticate Gets a short-lived access token for applications using JSON Web Token (JWT) to access the Conjur API. Covers the case of use of optional URL parameter "ID"
getAccessTokenViaKubernetes POST /authn-k8s/{service_id}/{account}/{login}/authenticate Gets a short-lived access token for applications running in Kubernetes.
getAccessTokenViaLDAP POST /authn-ldap/{service_id}/{account}/{login}/authenticate Gets a short-lived access token for users and hosts using their LDAP identity to access the Conjur API.
getAccessTokenViaOIDC POST /authn-oidc/{service_id}/{account}/authenticate Gets a short-lived access token for applications using OpenID Connect (OIDC) to access the Conjur API.
k8sInjectClientCert POST /authn-k8s/{service_id}/inject_client_cert For applications running in Kubernetes; sends Conjur a certificate signing request (CSR) and requests a client certificate injected into the application's Kubernetes pod.
rotateApiKey PUT /authn/{account}/api_key Rotates a role's API key.

changePassword

changePassword(account, body, xRequestId)

Changes a user’s password.

You must provide the login name and current password or API key of the user whose password is to be updated in an HTTP Basic Authentication header. Also replaces the user’s API key with a new securely generated random value. You can fetch the new API key using the Login method. The Basic authentication-compliant header is formed by: 1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string. 2. Base64-encoding the authentication string. 3. Prefixing the authentication string with the scheme: Basic (note the required space). 4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic <authentication string>. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords. They authenticate using their API keys, while passwords are only used by human users.

Parameters

Name Type Description Notes
account String Organization account name [default to null]
body String New password
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]

Return type

null (empty response body)

Authorization

basicAuth

HTTP request headers

  • Content-Type: text/plain
  • Accept: Not defined

enableAuthenticator

enableAuthenticator(authenticator, account, xRequestId, enabled)

Enables or disables authenticator defined without service_id.

Allows you to either enable or disable a given authenticator that does not have service_id (For example: authn-gcp). When you enable or disable an authenticator via this endpoint, the status of the authenticator is stored in the Conjur database. The enablement status of the authenticator service may be overridden by setting the CONJUR_AUTHENTICATORS environment variable on the Conjur server; in the case where this environment variable is set, the database record of whether the authenticator service is enabled will be ignored. This endpoint is part of an early implementation of support for enabling Conjur authenticators via the API, and is currently available at the Community (or early alpha) level. This endpoint is still subject to breaking changes in the future.

Parameters

Name Type Description Notes
authenticator ServiceAuthenticators The authenticator to update [default to null] [enum: authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure, authn-jwt]
account String Organization account name [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]
enabled Boolean [optional] [default to null]

Return type

null (empty response body)

Authorization

basicAuth, conjurAuth, conjurKubernetesMutualTls

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: Not defined

enableAuthenticatorInstance

enableAuthenticatorInstance(authenticator, serviceId, account, xRequestId, enabled)

Enables or disables authenticator service instances.

Allows you to either enable or disable a given authenticator service instance. When you enable or disable an authenticator service instance via this endpoint, the status of the authenticator service instance is stored in the Conjur database. The enablement status of the authenticator service instance may be overridden by setting the CONJUR_AUTHENTICATORS environment variable on the Conjur server; in the case where this environment variable is set, the database record of whether the authenticator service instance is enabled will be ignored. This endpoint is part of an early implementation of support for enabling Conjur authenticators via the API, and is currently available at the Community (or early alpha) level. This endpoint is still subject to breaking changes in the future.

Parameters

Name Type Description Notes
authenticator ServiceAuthenticators The authenticator to update [default to null] [enum: authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure, authn-jwt]
serviceId String URL-Encoded authenticator service ID [default to null]
account String Organization account name [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]
enabled Boolean [optional] [default to null]

Return type

null (empty response body)

Authorization

conjurAuth

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: Not defined

getAPIKey

String getAPIKey(account, xRequestId)

Gets the API key of a user given the username and password via HTTP Basic Authentication.

Passwords are stored in the Conjur database using bcrypt with a work factor of 12. Therefore, login is a fairly expensive operation. However, once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API. The Basic authentication-compliant header is formed by: 1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string. 2. Base64-encoding the authentication string. 3. Prefixing the authentication string with the scheme: Basic (note the required space). 4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic <authentication string>. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords and do not need to use this endpoint.

Parameters

Name Type Description Notes
account String Organization account name [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]

Return type

String

Authorization

basicAuth

HTTP request headers

  • Content-Type: Not defined
  • Accept: text/plain

getAPIKeyViaLDAP

String getAPIKeyViaLDAP(serviceId, account, xRequestId)

Gets the Conjur API key of a user given the LDAP username and password via HTTP Basic Authentication.

Exchange your LDAP credentials for a Conjur API key. Once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API. The Basic authentication-compliant header is formed by: 1. Concatenating the LDAP username, a literal colon character ':', and the password to create the authentication string. 2. Base64-encoding the authentication string. 3. Prefixing the authentication string with the scheme: Basic (note the required space). 4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic <authentication string>. Your HTTP/REST client probably provides HTTP basic authentication support.

Parameters

Name Type Description Notes
serviceId String URL-Encoded authenticator service ID [default to null]
account String Organization account name [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]

Return type

String

Authorization

basicAuth

HTTP request headers

  • Content-Type: Not defined
  • Accept: text/plain

getAccessToken

String getAccessToken(account, login, body, acceptEncoding, xRequestId)

Gets a short-lived access token, which is required in the header of most subsequent API requests.

A client can obtain an access token by presenting a valid login name and API key. The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. The login must be URL encoded. For example, alice@devops must be encoded as alice%40devops. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. For host authentication, the login is the host ID with the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>. This is the default authentication endpoint only. See other endpoints for details on authenticating to Conjur using another method, e.g. for applications running in Azure or Kubernetes.

Parameters

Name Type Description Notes
account String Organization account name [default to null]
login String URL-encoded login name. For users, it’s the user ID. For hosts, the login name is host/<host-id> [default to null]
body String API Key
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to application/json] [enum: application/json, base64]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]

Return type

String

Authorization

No authorization required

HTTP request headers

  • Content-Type: text/plain
  • Accept: text/plain

getAccessTokenViaAWS

String getAccessTokenViaAWS(serviceId, account, login, body, acceptEncoding, xRequestId)

Get a short-lived access token for applications running in AWS.

The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>. The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. For detailed instructions on authenticating to Conjur using this endpoint, reference the documentation: AWS IAM Authenticator (authn-iam).

Parameters

Name Type Description Notes
serviceId String URL-Encoded authenticator service ID [default to null]
account String Organization account name [default to null]
login String URL-encoded login name. For hosts, the login name is host/<host-id> [default to null]
body String AWS Signature header
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to application/json] [enum: application/json, base64]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]

Return type

String

Authorization

No authorization required

HTTP request headers

  • Content-Type: text/plain
  • Accept: text/plain

getAccessTokenViaAzure

String getAccessTokenViaAzure(serviceId, account, login, acceptEncoding, xRequestId, jwt)

Gets a short-lived access token for applications running in Azure.

The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>. The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. To authenticate to Conjur using this endpoint, reference the detailed documentation: Azure Authenticator (authn-azure).

Parameters

Name Type Description Notes
serviceId String URL-Encoded authenticator service ID [default to null]
account String Organization account name [default to null]
login String URL-encoded login name. For users, it’s the user ID. For hosts, the login name is host/<host-id> [default to null]
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to application/json] [enum: application/json, base64]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]
jwt String [optional] [default to null]

Return type

String

Authorization

No authorization required

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: text/plain

getAccessTokenViaGCP

String getAccessTokenViaGCP(account, acceptEncoding, xRequestId, jwt)

Gets a short-lived access token for applications running in Google Cloud Platform.

Use the GCP Authenticator API to send an authentication request from a Google Cloud service to Conjur. For more information, see the documentation.

Parameters

Name Type Description Notes
account String Organization account name [default to null]
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to null] [enum: base64]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]
jwt String [optional] [default to null]

Return type

String

Authorization

No authorization required

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: text/plain

getAccessTokenViaJWT

String getAccessTokenViaJWT(account, serviceId, xRequestId, jwt)

Gets a short-lived access token for applications using JSON Web Token (JWT) to access the Conjur API.

Use the JWT Authenticator to leverage the identity layer provided by JWT to authenticate with Conjur.

Parameters

Name Type Description Notes
account String Organization account name [default to null]
serviceId String URL-Encoded authenticator service ID [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]
jwt String [optional] [default to null]

Return type

String

Authorization

No authorization required

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: text/plain

getAccessTokenViaJWTWithId

String getAccessTokenViaJWTWithId(account, id, serviceId, xRequestId, jwt)

Gets a short-lived access token for applications using JSON Web Token (JWT) to access the Conjur API. Covers the case of use of optional URL parameter &quot;ID&quot;

Use the JWT Authenticator to leverage the identity layer provided by JWT to authenticate with Conjur.

Parameters

Name Type Description Notes
account String Organization account name [default to null]
id String Organization user id [default to null]
serviceId String URL-Encoded authenticator service ID [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]
jwt String [optional] [default to null]

Return type

String

Authorization

No authorization required

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: text/plain

getAccessTokenViaKubernetes

String getAccessTokenViaKubernetes(serviceId, account, login, acceptEncoding, xRequestId)

Gets a short-lived access token for applications running in Kubernetes.

The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>. The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. To authenticate to Conjur using this endpoint, reference the detailed documentation: Kubernetes Authenticator (authn-k8s).

Parameters

Name Type Description Notes
serviceId String URL-Encoded authenticator service ID [default to null]
account String Organization account name [default to null]
login String URL-encoded login name. For users, it’s the user ID. For hosts, the login name is host/<host-id> [default to null]
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to application/json] [enum: application/json, base64]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]

Return type

String

Authorization

conjurKubernetesMutualTls

HTTP request headers

  • Content-Type: Not defined
  • Accept: text/plain

getAccessTokenViaLDAP

String getAccessTokenViaLDAP(serviceId, account, login, acceptEncoding, xRequestId, body)

Gets a short-lived access token for users and hosts using their LDAP identity to access the Conjur API.

The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>. The login must be URL encoded. For example, alice@devops must be encoded as alice%40devops. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. For host authentication, the login is the host ID with the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. To authenticate to Conjur using a LDAP, reference the detailed documentation: LDAP Authenticator (authn-ldap).

Parameters

Name Type Description Notes
serviceId String URL-Encoded authenticator service ID [default to null]
account String Organization account name [default to null]
login String URL-encoded login name. For users, it’s the user ID. For hosts, the login name is host/<host-id> [default to null]
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to application/json] [enum: application/json, base64]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]
body String API key [optional]

Return type

String

Authorization

No authorization required

HTTP request headers

  • Content-Type: text/plain
  • Accept: text/plain

getAccessTokenViaOIDC

String getAccessTokenViaOIDC(serviceId, account, xRequestId, idToken)

Gets a short-lived access token for applications using OpenID Connect (OIDC) to access the Conjur API.

Use the OIDC Authenticator to leverage the identity layer provided by OIDC to authenticate with Conjur. For more information see the documentation.

Parameters

Name Type Description Notes
serviceId String URL-Encoded authenticator service ID [default to null]
account String Organization account name [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]
idToken String [optional] [default to null]

Return type

String

Authorization

No authorization required

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: text/plain

k8sInjectClientCert

k8sInjectClientCert(serviceId, body, hostIdPrefix, xRequestId)

For applications running in Kubernetes; sends Conjur a certificate signing request (CSR) and requests a client certificate injected into the application's Kubernetes pod.

This request sends a Certificate Signing Request to Conjur, which uses the Kubernetes API to inject a client certificate into the application pod. This endpoint requires a properly configured Conjur Certificate Authority service alongside a properly configured and enabled Kubernetes authenticator. For detailed instructions, see the documentation.

Parameters

Name Type Description Notes
serviceId String URL-Encoded authenticator service ID [default to null]
body String Valid certificate signing request that includes the host identity suffix as the CSR common name
hostIdPrefix String Dot-separated policy tree, prefixed by host., where the application identity is defined [optional] [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]

Return type

null (empty response body)

Authorization

basicAuth, conjurAuth, conjurKubernetesMutualTls

HTTP request headers

  • Content-Type: text/plain
  • Accept: Not defined

rotateApiKey

String rotateApiKey(account, role, xRequestId)

Rotates a role's API key.

Any role can rotate its own API key. The name and password (for users) or current API key (for hosts and users) of the role must be provided via HTTP Basic Authorization. To rotate another role's API key, you may provide your name and password (for users) or current API key (for hosts and users) via HTTP Basic Authorization with the request. Alternatively, you may provide your Conjur access token via the standard Conjur Authorization header. The Basic authentication-compliant header is formed by: 1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string. 2. Base64-encoding the authentication string. 3. Prefixing the authentication string with the scheme: Basic (note the required space). 4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic <authentication string>. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. If using the Conjur Authorization header, its value should be set to Token token=<base64-encoded access token>. Note that the body of the request must be the empty string.

Parameters

Name Type Description Notes
account String Organization account name [default to null]
role String (Optional) role specifier in {kind}:{identifier} format ##### Permissions required update privilege on the role whose API key is being rotated. [optional] [default to null]
xRequestId String Add an ID to the request being made so it can be tracked in Conjur. If not provided the server will automatically generate one. [optional] [default to null]

Return type

String

Authorization

basicAuth, conjurAuth

HTTP request headers

  • Content-Type: Not defined
  • Accept: text/plain
Clone this wiki locally