On This page |
On Related Pages |
|
POST https://auth-staging.sagebase.org/auth/v1/user
{"email":"demouser@sagebase.org", "firstName":"demo", "lastName":"user", "displayName":"Demo User"}
|
Successful Response:
HTTP/1.1 201 Created |
Missing password or user ID already exists:
HTTP/1.1 401 Unauthorized |
Note: As a side effect this will send an email to the given address, prompting the user to set their password.
POST https://auth-staging.sagebase.org/auth/v1/user/password/email
{"email":"demouser@sagebase.org"}
|
Successful Response:
HTTP/1.1 204 No Content |
If the email address is not in the user database:
HTTP/1.1 404 Not Found |
POST https://auth-staging.sagebase.org/auth/v1/user/password
{"sessionToken":"abcdefgh-0123-4567-ijkl-mnopqrstuvwx", "password":"foobar"}
|
Successful Response:
HTTP/1.1 204 No Content |
GET https://auth-staging.sagebase.org/auth/v1/secretKey |
Successful Response:
HTTP/1.1 200 {"secretKey":"0Ocy/cW/3WIdZg3Up9dguO4Kh5smBKpN7iWXAvVQqekGD3gT4nc7PWwlfOhcL+KW6W4PjXtgPQNhiP7yrwjfwQ=="}
|
Note: Session token is required in request header. The returned key is that of the authenticated user.
DELETE https://auth-staging.sagebase.org/auth/v1/secretKey |
Successful Response:
HTTP/1.1 204 No Content |
Note: Session token or HMAC signature is required in request header. The key which is invalidated is that of the authenticated user.
Request:
POST https://auth-staging.sagebase.org/auth/v1/session
{"email":"demouser@sagebase.org", "password":"demouser-pw"} |
Successful Response:
HTTP/1.1 201 Created
Content-Type: application/json
{"sessionToken":"AYcOhWIm9NdOC6BdzzzisQ00", "acceptsTermsOfUse":"true"}
|
Note: If the "acceptsTermsOfUse" field is "false", then an additional call to accept the Synapse terms of use is required before the session token can be used for authenticated requests
Session token is valid for a period of time, currently set to 24 hours.
Request:
PUT https://auth-staging.sagebase.org/auth/v1/session
{"sessionToken":"AYcOhWIm9NdOC6BdzzzisQ00"}
|
Successful Response:
HTTP/1.1 204 No Content |
Error Response, if the session token is invalid:
HTTP/1.1 401 Unauthorized
{"reason":"Session token is not valid"}
|
Error Response, if the user has not signed the terms of use yet:
HTTP/1.1 403 Forbidden
{"reason":"Terms of use must be signed"} |
Note: Sessions initiated by multiple clients for the same user around the same time will receive identical "single sign on" tokens. Since session termination is linked to the session token, terminating the session for one client via this command will have the side effect of terminating all sessions. An alternative is for the client simply to delete its own copy of the token.
Request:
DELETE https://auth-staging.sagebase.org/auth/v1/session |
Note: Session token is required in request header.
Response:
HTTP/1.1 204 No Content |
Request:
POST https://auth-staging.sagebase.org/auth/v1/termsOfUse
{"sessionToken":"AYcOhWIm9NdOC6BdzzzisQ00", "acceptsTermsOfUse":"true"} |
Response:
HTTP/1.1 204 No Content |
Synapse supports authentication via OpenID. Specifically there is a service which performs the OpenID handshake and, upon success, logs the user into Synapse and returns a Synapse session token. If it is the first time that the user has logged in to Synapse, then after successful OpenID authentication a new user account is created, a session is created and the session token is returned. The basic request is:
POST https://www.synapse.org/Portal/openid?OPEN_ID_PROVIDER=<ProviderName>&RETURN_TO_URL=<RedirectURL> |
<ProviderName> is the name of a supported OpenID provider. At this time the only allowed value is GOOGLE and this value will be used in the remaining examples.
Synapse supports the GET method, as required by applications which redirect requests to this service.
GET https://www.synapse.org/Portal/openid?OPEN_ID_PROVIDER=GOOGLE&RETURN_TO_URL=<RedirectURL> |
The successful response is a redirect to <RedirectURL> with extra request parameters to hold (1) an authentication status indicator (OK) and (2) the session token:
HTTP/1.1 302 Moved Temporarily ... Location: <RedirectURL>?status=OK&sessionToken=<sessionToken> ... |
If successful, but if the user has not yet accepted the Synapse Terms of Use (ToU), then the result is:
HTTP/1.1 302 Moved Temporarily ... Location: <RedirectURL>?status=TermsOfUseAcceptanceRequired ... |
In this case, authentication must be repeated with explict ToU acceptance. The client should display the ToU and request the user's acceptance. The ToU are available at this URL:
https://auth-prod.sagebase.org/auth/v1/termsOfUse.html |
Once the user has accepted the ToU, the authentication request may repeated, including a new request parameter acceptsTermsOfUse=true:
POST https://www.sagebase.org/Portal/openid?OPEN_ID_PROVIDER=GOOGLE&acceptsTermsOfUse=true&RETURN_TO_URL=<RedirectURL> |
If authentication is unsuccessful for a reason other than a missing terms of use agreement then the result is:
HTTP/1.1 302 Moved Temporarily ... Location: <RedirectURL>?status=OpenIDError ... |
Create User:
curl -k -H "Content-Type:application/json" -H "Accept:application/json" -d "{\"email\":\"demouser@sagebase.org\", \"firstName\":\"demo\", \"lastName\":\"user\", \"displayName\":\"Demo User\"}" -X POST https://auth-staging.sagebase.org/auth/v1/user
Send Change Password Email:
curl -k -H "Content-Type:application/json" -H "Accept:application/json" -d "{\"email\":\"demouser@sagebase.org\"}" -X POST https://auth-staging.sagebase.org/auth/v1/user/password/email
Login:
curl -k -H "Content-Type:application/json" -H "Accept:application/json" -d "{\"email\":\"demouser@sagebase.org\", \"password\":\"demouser-pw\"}" -X POST https://auth-staging.sagebase.org/auth/v1/session
Refresh session token:
curl -k -H "Content-Type:application/json" -H "Accept:application/json" -d "{\"sessionToken\":\"QYNoamrOKK0dBhjZOFfbAg00\"}" -X PUT https://auth-staging.sagebase.org/auth/v1/session
Logout:
curl -k -H "Content-Type:application/json" -H "Accept:application/json" -d "{\"sessionToken\":\"QYNoamrOKK0dBhjZOFfbAg00\"}" -X DELETE https://auth-staging.sagebase.org/auth/v1/session
Access repository services anonymously:
curl -H Accept:application/json https://repo-staging.sagebase.org/repo/v1/dataset/test
Access repository services with session token (obtained by logging in):
curl -H Accept:application/json -H sessionToken:AprxPRzpmaPm7FXzV1ik0w00 https://repo-staging.sagebase.org/repo/v1/dataset/test
Access repository services with HMAC-SHA1 signed request:
curl -i -H "Content-Type:application/json" -H "Accept:application/json" -H signatureTimestamp:2011-09-27T21:59:22.371-07:00 -H signature:yhMgokIH9ErQklj8oUuhHR5o5QM= -H userId:demouser@sagebase.org -X GET "http://localhost:8080/services-repository-0.7-SNAPSHOT/repo/v1/dataset?sort=name&limit=3"
Requests shall include a header named "sessionToken" whose value is that returned by the Initiate Session request, above. (The session will timeout eventually, with a nominal duration of 24 hours.)
Request shall include the following headers:
userId: demouser@sagebase.org signatureTimestamp: 2011-07-16T19:20:30.45+01:00 (i.e. in ISO8601 format including time zone) signature: <signature> |
where <signature> is the HMAC-SHA1 hash created using the shared secret key generated above, and the hashed data is the concatenation:
userId + uri + signatureTimestamp
URI example: If the request is made to
https://repo-staging.sagebase.org/repo/v1/dataset?sort=name&limit=3
then the URI is:
/repo/v1/dataset
For requests that fail to be authenticated the response will include the headers:
WWW-Authenticate: "Digest" your email
and a plain text body: "The token provided was invalid or expired."
Currently, there are two default groups that can be used to set permissions:
Group Name | Description |
|---|---|
PUBLIC | All users belong to this group. This is the only group that the anonymous@sagebase.org user belongs to. The anonymous user is used for anyone that has not logged in to Synapse. Therefore, granting permission to PUBLIC will grant that permission to everyone including users that have not logged in. |
AUTHENTICATED_USERS | All users that have logged in will automatically belong to this group. Therefore, granting permissions to AUTHENTICATED_USERS will grant that permission to any user that has logged in to Synapse. |
GET https://repo-staging.sagebase.org/repo/v1/user?offset=1&limit=100 |
{"totalNumberOfResults":340,
"results":[
{"lastName":"Bar","etag":"403","ownerId":"273956","firstName":"Foo","displayName":"Foo Bar"},
....
],
"paging":{"next":"/repo/v1/user?offset=101&limit=100"}
}
|
GET https://repo-staging.sagebase.org/repo/v1/userGroup |
[
{"name":"AUTHENTICATED_USERS","id":"1","creationDate":1307141423000,"uri":null,"etag":null,"individual":false},
{"name":"PUBLIC","id":"2","creationDate":1307141423000,"uri":null,"etag":null,"individual":false},
{"name":"Federation Group","id":"3","creationDate":1307141423000,"uri":null,"etag":null,"individual":false}
]
|
Note: The "name" fields returned from /user and /userGroup are used in the "groupName" fields in the ACLs shown below.
Returns the ACL for the node responsible for the given node's permissions. Note: In the following example, 'id' is the id of the node to which permissions are attached; there is one 'resourceAccess' entry per UserGroup (aka 'principal') having access to the resource; 'groupName' is the name of the UserGroup object; 'accessType' is the list of types of access the given UserGroup has to the given resource.
GET https://repo-staging.sagebase.org/repo/v1/entity/{entity_id}/acl
|
{"id":"1",
"creationDate":1307141851484,
"uri":null,
"etag":"0",
"createdBy":"admin",
"resourceAccess":[
{"id":"1",
"groupName":"PUBLIC",
"accessType":["READ","CHANGE_PERMISSIONS","DELETE","UPDATE","CREATE"]
}
],
"modifiedBy":"admin",
"modifiedOn":1307141851483
}
|
Note: This is only used when the resource 'rid' currently inherits its access control list from an ancestor. This request causes 'rid' to cease ACL inheritance and instead use the ACL passed in with the request.
POST https://repo-staging.sagebase.org/repo/v1/entity/{entity_id}/acl
{"id":"{entity_id}",
"resourceAccess":[
{"groupName":"PUBLIC",
"accessType":["READ","CHANGE_PERMISSIONS","DELETE","UPDATE","CREATE"]
}
]
}
|
Note: This is only used when a "entity_id" already specifies its access control list (does not inherit from an ancestor).
PUT https://repo-staging.sagebase.org/repo/v1/entity/{entity_id}/acl
{"id":"1",
"etag":"0",
"resourceAccess":[
{"id":"1",
"groupName":"PUBLIC",
"accessType":["READ","CHANGE_PERMISSIONS","DELETE","UPDATE","CREATE"]
}
],
}
|
This deletes the given object's ACL, restoring its dependence on its owner's permissions.
DELETE https://repo-staging.sagebase.org/repo/v1/entity/{entity_id}/acl
|
Note: The query is asked for the user who is implied by the session token, or 'anonymous' if there is no token.
GET https://repo-staging.sagebase.org/repo/v1/entity/{entity_id}/access?accessType={accessType}
|
{"result":true}
|
The Synapse Authorization Services include support for creating abstract 'resources' and allowing users access. The defined requests are shown below. Note: All requests must be authenticated, as described earlier in this document.
POST https://auth-staging.sagebase.org/auth/v1/resourceAccess/{resourceName}
{"userName":"demouser@sagebase.org", "userData":"some-user-data"}
|
Note: The user executing this request must be a Synapse Administrator.
Successful Response:
HTTP/1.1 201 Created |
POST https://auth-staging.sagebase.org/auth/v1/resourceSession/{resourceName}
|
Note: The session is created for the user authenticated in the request.
Successful Response:
HTTP/1.1 201 Created
{"resourceAccessToken":"a1b2c3d4e5f6"} |
Unsuccessful Response:
HTTP/1.1 401 Unauthorized
{"reason": "Not authorized."} |
GET https://auth-staging.sagebase.org/auth/v1/resourceSession/a1b2c3d4e5f6 |
Note: Though the request must be authenticated, the user making the request need not be the same as the user whose session is indicated by the passed token. This allows (for example) a 'service account' to request authentication of tokens owned by real users.
Successful Response:
HTTP/1.1 200 OK
{"userName":"demouser@sagebase.org", "userData":"some-user-data"} |
Unsuccessful Response:
HTTP/1.1 401 Unauthorized
{"reason": "Not authorized."} |
GET https://repo-staging.sagebase.org/repo/v1/userProfile |
returns the profile of the authenticated user:
{
"firstName":"Jane",
"lastName":"Smith",
"userName","janesmith@sagebase.org",
"displayName":"Jane Smith",
"rStudioUrl":"http://rstudiohost.sagebase.org",
"ownerId":"1001",
"uri":"/userProfile",
"etag":"0"
}
|
GET https://repo-staging.sagebase.org/repo/v1/userProfile/1001 |
returns the profile of the specified user, where "ownerId" is the "id" field returned in the "/user" request, described above, https://sagebionetworks.jira.com/wiki/display/PLFM/Authentication+and+Authorization+API#AuthenticationandAuthorizationAPI-GettheuserswhocanbeaddedtoaresourcesACL.
Note: Private fields (e.g. "rStudioUrl") are omitted unless the requestor is the profile owner or an administrator.
{
"firstName":"Jane",
"lastName":"Smith",
"displayName":"Jane Smith",
"ownerId":"1001",
"uri":"/userProfile",
"etag":"0"
} |
PUT https://repo-staging.sagebase.org/repo/v1/userProfile
{
"firstName":"Jane",
"lastName":"Smith",
"userName","janesmith@sagebase.org",
"displayName":"Jane Smith",
"rStudioUrl":"http://rstudiohost.sagebase.org",
"ownerId":"1001",
"uri":"/userProfile",
"etag":"0"
} |
Note: The user associated with "ownerId" must match the identity of the authenticated user making the request, otherwise and Unauthorized response will occur.
PUT https://repo-staging.sagebase.org/repo/v1/userProfile/1001
{
"firstName":"Jane",
"lastName":"Smith",
"userName","janesmith@sagebase.org",
"displayName":"Jane Smith",
"rStudioUrl":"http://rstudiohost.sagebase.org",
"ownerId":"1001",
"uri":"/userProfile",
"etag":"0"
} |
Note: This API is available only to administrators.
Synapse provides a batch UserGroupHeader service to fetch information about a collection of users or groups, specified by Synapse IDs. UserGroupHeaders contain a user's name, e-mail address, display name, and picture URL, when available.
GET https://repo-staging.sagebase.org/repo/v1/userGroupHeaders/batch?ids=1001,819 |
Note that ids are specified as request parameters at the end of the URL, separated by commas. In the example above, we are fetching headers for Synapse IDs 1001 and 819.
This service can be used to search for synapse users by name or email:
GET {repo-endpoint}/userGroupHeaders?prefix=john.doe@somedomain.org
|
returns:
{'totalNumberOfResults': 1,
'children':[
{'displayName': 'John Doe',
'firstName': 'John',
'lastName': 'Doe',
'pic': {'contentType': 'image/jpeg',
'name': '1421211.jpg',
'tokenId': '1444862/1421211.jpg',
'previewId': '1444863/1421211.jpg',
'md5': '3211e11de379bc62b70bd2a1fc49255e',
'previewState': 'PREVIEW_EXISTS'},
'email': 'joh...e@somedomain.org',
'ownerId': '1421212',
'isIndividual': True}],
'prefixFilter': 'john.doe@somedomain.org'} |
Get Request:
curl -H sessionToken:XXXXXXXXXXXXXXXXXX -H Content-Type:application/json -k https://repo-staging.sagebase.org/repo/v1/project/498/acl |
Get Response:
{
"id":"3",
"creationDate":1308274656084,
"etag":"0",
"createdBy":"nicole.deflaux@sagebase.org",
"resourceAccess":[
{
"id":"4",
"groupName":"AUTHENTICATED_USERS",
"accessType":[
"DELETE",
"CHANGE_PERMISSIONS",
"UPDATE",
"READ",
"CREATE"
]
}
],
"modifiedBy":"nicole.deflaux@sagebase.org",
"modifiedOn":1308274656084,
"uri":"/repo/v1/project/498/acl"
} |
Update Request:
curl -H sessionToken:XXXXXXXXX -H Content-Type:application/json -X PUT -d '{
"id":"3",
"creationDate":1308274656084,
"etag":"0",
"createdBy":"nicole.deflaux@sagebase.org",
"resourceAccess":[
{
"groupName":"AUTHENTICATED_USERS",
"accessType":[
"READ"
]
},
{
"groupName":"nicole.deflaux@sagebase.org",
"accessType":[
"DELETE",
"CHANGE_PERMISSIONS",
"UPDATE",
"READ",
"CREATE"
]
},
{
"groupName":"someuser@sagebase.org",
"accessType":[
"DELETE",
"CHANGE_PERMISSIONS",
"UPDATE",
"READ",
"CREATE"
]
}
],
"modifiedBy":"nicole.deflaux@sagebase.org",
"modifiedOn":1308274656084,
"uri":"/repo/v1/project/498/acl"
}' https://repo-staging.sagebase.org/repo/v1/project/498/acl
|
Update Response:
{
"id":"3",
"creationDate":1308274656084,
"etag":"0",
"createdBy":"nicole.deflaux@sagebase.org",
"resourceAccess":[
{
"id":null,
"groupName":"someuser@sagebase.org",
"accessType":[
"DELETE",
"UPDATE",
"CHANGE_PERMISSIONS",
"READ",
"CREATE"
]
},
{
"id":null,
"groupName":"nicole.deflaux@sagebase.org",
"accessType":[
"DELETE",
"UPDATE",
"CHANGE_PERMISSIONS",
"READ",
"CREATE"
]
},
{
"id":null,
"groupName":"AUTHENTICATED_USERS",
"accessType":[
"READ"
]
}
],
"modifiedBy":"nicole.deflaux@sagebase.org",
"modifiedOn":1308274656084,
"uri":"/repo/v1/project/498/acl"
} |