-
Notifications
You must be signed in to change notification settings - Fork 2
AuthnApi
All URIs are relative to http://localhost
Method | HTTP request | Description |
---|---|---|
authenticate | POST /{authenticator}/{account}/{login}/authenticate | Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API. |
authenticateService | POST /{authenticator}/{service_id}/{account}/{login}/authenticate | Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API. |
gcpAuthenticate | POST /authn-gcp/{account}/authenticate | Authenticate with Conjur via Google Cloud Platform |
k8sInjectClientCert | POST /authn-k8s/{service_id}/inject_client_cert | Requests a client certificate injection into the desired K8s pod |
login | GET /{authenticator}/{account}/login | Gets the API key of a user given the username and password via HTTP Basic Authentication. |
oidcAuthenticate | POST /authn-oidc/{service_id}/{account}/authenticate | Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API. |
rotateApiKey | PUT /{authenticator}/{account}/api_key | Rotates a user’s API key. |
serviceLogin | GET /{authenticator}/{service_id}/{account}/login | Login with the given authenticator |
setPassword | PUT /authn/{account}/password | Changes a user’s password. |
updateAuthenticatorConfig | PATCH /{authenticator}/{service_id}/{account} | Updates the authenticators configuration |
String authenticate(authenticator, account, login, body, acceptEncoding)
Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.
A client can obtain an access token by presenting a valid login name and API key. The login must be URL encoded. For example, alice@devops
must be encoded as alice%40devops
. For host authentication, the login is the host ID with the prefix host/
. For example, the host webserver would login as host/webserver
, and would be encoded as host%2Fwebserver
. For API usage, the access token is ordinarily passed as an HTTP Authorization Token
header.
Name | Type | Description | Notes |
---|---|---|---|
authenticator | String | The authenticator | [default to null] [enum: authn, authn-iam, authn-ldap, authn-k8s, authn-azure] |
account | String | Organization account name | [default to null] |
login | String | Login name of the client. For users, it’s the user id. For hosts, the login name is host/<host-id>
|
[default to null] |
body | String | API Key | |
acceptEncoding | String | Setting the Accept-Encoding header to base64 will return a pre-encoded access token | [optional] [default to null] |
- Content-Type: text/plain
- Accept: text/plain
String authenticateService(authenticator, serviceId, account, login, body, acceptEncoding)
Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.
A client can obtain an access token by presenting a valid login name and API key. The login must be URL encoded. For example, alice@devops
must be encoded as alice%40devops
. For host authentication, the login is the host ID with the prefix host/
. For example, the host webserver would login as host/webserver
, and would be encoded as host%2Fwebserver
. For API usage, the access token is ordinarily passed as an HTTP Authorization Token
header.
Name | Type | Description | Notes |
---|---|---|---|
authenticator | String | The authenticator | [default to null] [enum: authn-iam, authn-ldap, authn-k8s, authn-azure] |
serviceId | String | The authenticator service | [default to null] |
account | String | Organization account name | [default to null] |
login | String | Login name of the client. For users, it’s the user id. For hosts, the login name is host/<host-id>
|
[default to null] |
body | String | API Key | |
acceptEncoding | String | Setting the Accept-Encoding header to base64 will return a pre-encoded access token | [optional] [default to null] |
- Content-Type: text/plain
- Accept: text/plain
String gcpAuthenticate(account, acceptEncoding, jwt)
Authenticate with Conjur via Google Cloud Platform
A client can obtain an access token by presenting a valid JWT identity token
Name | Type | Description | Notes |
---|---|---|---|
account | String | Organization account name | [default to null] |
acceptEncoding | String | Setting the Accept-Encoding header to base64 will return a pre-encoded access token | [optional] [default to null] [enum: base64] |
jwt | String | [optional] [default to null] |
- Content-Type: application/x-www-form-urlencoded
- Accept: text/plain
k8sInjectClientCert(serviceId, body, hostIdPrefix)
Requests a client certificate injection into the desired K8s pod
This request sends a Certificate Signing Request to Conjur, which in uses the Kubernetes API to inject a certificate into the desired pod. This endpoint requires a properly configured Conjur Certificate Authority service alongside a properly configured K8s authenticator.
Name | Type | Description | Notes |
---|---|---|---|
serviceId | String | The service id of the K8s authenticator | [default to null] |
body | String | The body of the request is a CSR | |
hostIdPrefix | String | Host ID prefix | [optional] [default to null] |
null (empty response body)
- Content-Type: text/plain
- Accept: Not defined
String login(authenticator, account)
Gets the API key of a user given the username and password via HTTP Basic Authentication.
Passwords are stored in the Conjur database using bcrypt
with a work factor of 12. Therefore, login is a fairly expensive operation. However, once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords and do not need to login.
Name | Type | Description | Notes |
---|---|---|---|
authenticator | Authenticators | The Authenticator | [default to null] [enum: authn, authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure] |
account | String | Organization account name | [default to null] |
- Content-Type: Not defined
- Accept: text/plain
String oidcAuthenticate(serviceId, account, idToken)
Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.
A client can obtain an access token by presenting a valid OpenID ID token. The client must first authenticate with the OpenID provider, then pass the id token to the conjur server to retrieve an API token
Name | Type | Description | Notes |
---|---|---|---|
serviceId | String | The authenticator service | [default to null] |
account | String | Organization account name | [default to null] |
idToken | String | [optional] [default to null] |
- Content-Type: application/x-www-form-urlencoded
- Accept: text/plain
String rotateApiKey(authenticator, account, role)
Rotates a user’s API key.
Any role can rotate its own API key. The name and password or current API key of the role must be provided via HTTP Basic Authorization. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that the body of the request must be the empty string.
Name | Type | Description | Notes |
---|---|---|---|
authenticator | Authenticators | The authenticator | [default to null] [enum: authn, authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure] |
account | String | Organization account name | [default to null] |
role | String | (Optional) role specifier in {kind}:{identifier} format ##### Permissions required update privilege on the role whose API key is being rotated. |
[optional] [default to null] |
- Content-Type: Not defined
- Accept: text/plain
String serviceLogin(authenticator, serviceId, account)
Login with the given authenticator
Passwords are stored in the Conjur database using bcrypt
with a work factor of 12. Therefore, login is a fairly expensive operation. However, once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords and do not need to login.
Name | Type | Description | Notes |
---|---|---|---|
authenticator | ExternalAuthenticators | The authenticator to login with | [default to null] [enum: authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure] |
serviceId | String | The service id of the authenticator | [default to null] |
account | String | Organization account name | [default to null] |
- Content-Type: Not defined
- Accept: text/plain
setPassword(account, body)
Changes a user’s password.
You must provide the login name and current password or API key of the user whose password is to be updated in an HTTP Basic Authentication header. Also replaces the user’s API key with a new securely generated random value. You can fetch the new API key by using Login. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords. They authenticate using their API keys, while passwords are only used by human users.
Name | Type | Description | Notes |
---|---|---|---|
account | String | Organization account name | [default to null] |
body | String | New password |
null (empty response body)
- Content-Type: text/plain
- Accept: Not defined
updateAuthenticatorConfig(authenticator, serviceId, account, enabled)
Updates the authenticators configuration
Allows you to either enable or disable a given authenticator > This endpoint is part of an early implementation of support for enabling Conjur > authenticators via the API, and is currently available at the Community (or early alpha) level. > This endpoint is still subject to breaking changes in the future.
Name | Type | Description | Notes |
---|---|---|---|
authenticator | ExternalAuthenticators | The authenticator to update | [default to null] [enum: authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure] |
serviceId | String | The service id of the authenticator | [default to null] |
account | String | Organization account name | [default to null] |
enabled | Boolean | [optional] [default to null] |
null (empty response body)
- Content-Type: application/x-www-form-urlencoded
- Accept: Not defined