Changes between Version 6 and Version 7 of NewTestbedAPISpec


Ignore:
Timestamp:
Jul 16, 2013 9:56:05 AM (11 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • NewTestbedAPISpec

    v6 v7  
    2929   * request - bad request
    3030   * internal - internal server error
     31   * password - user has an expired password that must be changed
    3132 * ErrorString - a string describing the broad error
    3233 * DetailString - a string describing the details that caused the error
     
    7273A user can authenticate to the testbed and receive a short-lived client x.509 certificate by requesting a challenge using the {{{requestChallenge}}} operation and responding to the challenge via the {{{challengeResponse}}} operation.
    7374
    74 Currently only one challenge type is defined.  The challenge is an array of bytes and the response is return an SHA1 HMAC of that string keyed by the user's password.
     75Currently only one challenge is available, type "clear".  The challenge has no data and the user replies with their password in clear text.  Note that the exchange is protected by the SSL encrypted exchange, but implementors should not respond to clear challenges with parameters in the query string.  The "masked" challenge will address this issue shortly.
    7576
    7677 * '''Service:''' Users
     
    7879 * '''Input Parameters:'''
    7980   * userid - the identity to authenticate
     81   * types - a list of challenges that are acceptable to the user.  May be empty
    8082 * '''Return Values:'''
    8183   * Type - the kind of challenge
     
    8486   * ChallengeID - a 64-bit identifier that allows the server to validate the reply
    8587
     88Each challenge is valid for 2 minutes and are rate limited.  Web interfaces should collect the password from the user before requesting a challenge from the API to avoid spurious timeouts.
     89
    8690 * '''Service:''' Users
    8791 * '''Operation:''' challengeResponse
     
    9195 * '''Return Values''':
    9296  * Certificate - a binary string containing a PEM-encoded X.509 certificate and private key. (Passed down the encrypted connection)
     97
     98The certificate returned by the challenge is signed by the testbed.
     99
     100=== Password Changes ===
     101
     102The password is a unique user feature that is not in the profile because of its role in authentication.  When a user needs to change their password there are two API calls that can be used.
     103
     104If the user knows their current (or expired) password, they can authenticate using the standard challenge response protocol and then call
     105
     106* '''Service:''' Users
     107 * '''Operation:''' changePassword
     108 * '''Input Parameters:'''
     109  * uid - the userid to change (note that an admin may change others passwords)
     110  * newPass - the new passowrd
     111 * '''Return Values''':
     112  * a boolean, true if successful, but most errors will throw a fault
     113
     114We expect that the web interface will handle issues like confirming user input to a password change page.  The changePassword call just makes the change directly.
     115
     116If a user has forgotten their password, the user can request a password challenge, sent to them at their profile e-mail address.  The challenge is a 64-bit number that can be used to call changePasswordChallenge without logging in.  To request a challenge, the web interface calls:
     117
     118* '''Service:''' Users
     119 * '''Operation:''' requestPasswordReset
     120 * '''Input Parameters:'''
     121  * uid - the userid to change
     122  * urlPrefix - a string prefixed to the challenge ID in the mail sent to the user
     123 * '''Return Values''':
     124  * a boolean, true if successful, but most errors will throw a fault
     125
     126Again, we expect this call to generally be made from a web interface that will then want to present an input form to the in order to reset their password.  The urlPrefix field provides that hook.  A web interface running on !https://niftydeter.com might call requestPasswordReset with parameters 'forgetfuluser' and '!https://niftydeter.com/reset.html?challenge='.  After that call forgetfuluser will get e-mail asking him or her to access the web page at !https://niftydeter.com/reset.html?challenge=1283548127541824, allowing {{{niftydeter.com}}} to present their password change interface, and do error checking, ete. on the new password.
     127
     128Each challenge is valid for 2 hours, and they are rate limited so only a few can be outstanding.
     129
     130With a valid challenge in hand, the web interface can call
     131
     132* '''Service:''' Users
     133 * '''Operation:''' changePasswordChallenge
     134 * '''Input Parameters:'''
     135  * challengeID - the 64-bit number from the e-mail
     136  * newPass - the new passowrd
     137 * '''Return Values''':
     138  * a boolean, true if successful, but most errors will throw a fault
     139
    93140
    94141=== Profile Manipulation ===
     
    137184
    138185 * '''Service:''' Users
    139  * '''Operation:''' getProfileDescription
     186 * '''Operation:''' getUserProfile
    140187 * '''Input Parameters:'''
    141188  * userid - a string naming the user to be retrieved
     
    162209 
    163210 * '''Service:''' Users
    164  * '''Operation:''' getProfileDescription
     211 * '''Operation:''' changeUserProfile
    165212 * '''Input Parameters:'''
    166213   * Userid - the user's profile to modify