Skip to content

AuthnApi

Github Action edited this page Feb 12, 2021 · 5 revisions

AuthnApi

All URIs are relative to http://localhost

Method HTTP request Description
authenticate POST /{authenticator}/{account}/{login}/authenticate Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.
authenticateService POST /{authenticator}/{service_id}/{account}/{login}/authenticate Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.
gcpAuthenticate POST /authn-gcp/{account}/authenticate Authenticate with Conjur via Google Cloud Platform
k8sInjectClientCert POST /authn-k8s/{service_id}/inject_client_cert Requests a client certificate injection into the desired K8s pod
login GET /{authenticator}/{account}/login Gets the API key of a user given the username and password via HTTP Basic Authentication.
oidcAuthenticate POST /authn-oidc/{service_id}/{account}/authenticate Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.
rotateApiKey PUT /{authenticator}/{account}/api_key Rotates a user’s API key.
serviceLogin GET /{authenticator}/{service_id}/{account}/login Login with the given authenticator
setPassword PUT /authn/{account}/password Changes a user’s password.
updateAuthenticatorConfig PATCH /{authenticator}/{service_id}/{account} Updates the authenticators configuration

authenticate

String authenticate(authenticator, account, login, body, acceptEncoding)

Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.

A client can obtain an access token by presenting a valid login name and API key. The login must be URL encoded. For example, alice@devops must be encoded as alice%40devops. For host authentication, the login is the host ID with the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. For API usage, the access token is ordinarily passed as an HTTP Authorization Token header.

Parameters

Name Type Description Notes
authenticator String The authenticator [default to null] [enum: authn, authn-iam, authn-ldap, authn-k8s, authn-azure]
account String Organization account name [default to null]
login String Login name of the client. For users, it’s the user id. For hosts, the login name is host/<host-id> [default to null]
body String API Key
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to null]

Return type

String

Authorization

conjurAuth

HTTP request headers

  • Content-Type: text/plain
  • Accept: text/plain

authenticateService

String authenticateService(authenticator, serviceId, account, login, body, acceptEncoding)

Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.

A client can obtain an access token by presenting a valid login name and API key. The login must be URL encoded. For example, alice@devops must be encoded as alice%40devops. For host authentication, the login is the host ID with the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. For API usage, the access token is ordinarily passed as an HTTP Authorization Token header.

Parameters

Name Type Description Notes
authenticator String The authenticator [default to null] [enum: authn-iam, authn-ldap, authn-k8s, authn-azure]
serviceId String The authenticator service [default to null]
account String Organization account name [default to null]
login String Login name of the client. For users, it’s the user id. For hosts, the login name is host/<host-id> [default to null]
body String API Key
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to null]

Return type

String

Authorization

conjurAuth

HTTP request headers

  • Content-Type: text/plain
  • Accept: text/plain

gcpAuthenticate

String gcpAuthenticate(account, acceptEncoding, jwt)

Authenticate with Conjur via Google Cloud Platform

A client can obtain an access token by presenting a valid JWT identity token

Parameters

Name Type Description Notes
account String Organization account name [default to null]
acceptEncoding String Setting the Accept-Encoding header to base64 will return a pre-encoded access token [optional] [default to null] [enum: base64]
jwt String [optional] [default to null]

Return type

String

Authorization

basicAuth, conjurAuth

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: text/plain

k8sInjectClientCert

k8sInjectClientCert(serviceId, body, hostIdPrefix)

Requests a client certificate injection into the desired K8s pod

This request sends a Certificate Signing Request to Conjur, which in uses the Kubernetes API to inject a certificate into the desired pod. This endpoint requires a properly configured Conjur Certificate Authority service alongside a properly configured K8s authenticator.

Parameters

Name Type Description Notes
serviceId String The service id of the K8s authenticator [default to null]
body String The body of the request is a CSR
hostIdPrefix String Host ID prefix [optional] [default to null]

Return type

null (empty response body)

Authorization

conjurAuth

HTTP request headers

  • Content-Type: text/plain
  • Accept: Not defined

login

String login(authenticator, account)

Gets the API key of a user given the username and password via HTTP Basic Authentication.

Passwords are stored in the Conjur database using bcrypt with a work factor of 12. Therefore, login is a fairly expensive operation. However, once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords and do not need to login.

Parameters

Name Type Description Notes
authenticator Authenticators The Authenticator [default to null] [enum: authn, authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure]
account String Organization account name [default to null]

Return type

String

Authorization

basicAuth

HTTP request headers

  • Content-Type: Not defined
  • Accept: text/plain

oidcAuthenticate

String oidcAuthenticate(serviceId, account, idToken)

Gets a short-lived access token, which can be used to authenticate requests to (most of) the rest of the Conjur API.

A client can obtain an access token by presenting a valid OpenID ID token. The client must first authenticate with the OpenID provider, then pass the id token to the conjur server to retrieve an API token

Parameters

Name Type Description Notes
serviceId String The authenticator service [default to null]
account String Organization account name [default to null]
idToken String [optional] [default to null]

Return type

String

Authorization

basicAuth, conjurAuth

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: text/plain

rotateApiKey

String rotateApiKey(authenticator, account, role)

Rotates a user’s API key.

Any role can rotate its own API key. The name and password or current API key of the role must be provided via HTTP Basic Authorization. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that the body of the request must be the empty string.

Parameters

Name Type Description Notes
authenticator Authenticators The authenticator [default to null] [enum: authn, authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure]
account String Organization account name [default to null]
role String (Optional) role specifier in {kind}:{identifier} format ##### Permissions required update privilege on the role whose API key is being rotated. [optional] [default to null]

Return type

String

Authorization

basicAuth, conjurAuth

HTTP request headers

  • Content-Type: Not defined
  • Accept: text/plain

serviceLogin

String serviceLogin(authenticator, serviceId, account)

Login with the given authenticator

Passwords are stored in the Conjur database using bcrypt with a work factor of 12. Therefore, login is a fairly expensive operation. However, once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords and do not need to login.

Parameters

Name Type Description Notes
authenticator ExternalAuthenticators The authenticator to login with [default to null] [enum: authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure]
serviceId String The service id of the authenticator [default to null]
account String Organization account name [default to null]

Return type

String

Authorization

basicAuth

HTTP request headers

  • Content-Type: Not defined
  • Accept: text/plain

setPassword

setPassword(account, body)

Changes a user’s password.

You must provide the login name and current password or API key of the user whose password is to be updated in an HTTP Basic Authentication header. Also replaces the user’s API key with a new securely generated random value. You can fetch the new API key by using Login. Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords. They authenticate using their API keys, while passwords are only used by human users.

Parameters

Name Type Description Notes
account String Organization account name [default to null]
body String New password

Return type

null (empty response body)

Authorization

basicAuth

HTTP request headers

  • Content-Type: text/plain
  • Accept: Not defined

updateAuthenticatorConfig

updateAuthenticatorConfig(authenticator, serviceId, account, enabled)

Updates the authenticators configuration

Allows you to either enable or disable a given authenticator > This endpoint is part of an early implementation of support for enabling Conjur > authenticators via the API, and is currently available at the Community (or early alpha) level. > This endpoint is still subject to breaking changes in the future.

Parameters

Name Type Description Notes
authenticator ExternalAuthenticators The authenticator to update [default to null] [enum: authn-iam, authn-oidc, authn-ldap, authn-k8s, authn-gcp, authn-azure]
serviceId String The service id of the authenticator [default to null]
account String Organization account name [default to null]
enabled Boolean [optional] [default to null]

Return type

null (empty response body)

Authorization

conjurAuth

HTTP request headers

  • Content-Type: application/x-www-form-urlencoded
  • Accept: Not defined
Clone this wiki locally