Rainbow authentication portal (1.236.6)

Download OpenAPI specification:Download

Rainbow authentication portal API guide

Preamble

Download Postman collection

Introduction

This guide describes list of API services that are provided by OT Rainbow authentication portal system. Services are used to manage OT Rainbow authentication.

Protocol

REST interface is used for sending/receiving OT rainbow API messages.
HTTP request GET is used. Standard HTTP responses are used to provide requested information or error status. There is no session notion in OT Rainbow system, so requests could be issued according stateless model, without transport conservation between them.
JSON is used as a main format for data encoding in message body part. Each request is started with the following pattern /{module}/{version}/ where {module} is a portal module name to address and {version} is a version of used API, par example, “v1.0”.

Security considerations

Each request should contain some credential information to authenticate itself. Standard HTTP authentication with basic/bearer modes is used. JSON Web Token mechanism is used to provide authentication information. JWT has a expire timeout that is controlled by OT Rainbow portal to prevent very long token usage. Also authentication with application token is used. The token must be provided in the request HTTP header, using a custom header: APIKey. At server side, token is verified, and if it doesn’t match, 403 Not Allowed response is sent. TLS is used as a transport protocol to support message exchanges between OT Rainbow portal and an application.

Authentication

Bearer

For accessing the API a valid JWT token or a valid OAuth has to be provided access token must be passed in all the queries in the 'Authorization' header.

  • JWT
    • A valid JWT token is generated by the API and returned as answer of a call to the route GET /api/rainbow/authentication/v1.0/login giving a valid user & password.
    • The following syntax must be used in the 'Authorization' header:
      Bearer xxxxxx.yyyyyyy.zzzzzz
  • OAuth access token
    • A valid OAuth access token is generated and returned as answer of the OAuth 2.0 workflow with authorization code grant. This is done by calling the route GET /api/rainbow/authentication/v1.0/oauth/authorize to get an authorization code and then POST /api/rainbow/authentication/v1.0/oauth/token to exchange it agains an access token and a refresh token.
    • The following syntax must be used in the 'Authorization' header:
      Bearer xxxxxx.yyyyyyy.zzzzzz
Security Scheme Type API Key
Header parameter name: Authorization

Bearer-x-rainbow-api-key

For accessing the API a valid API_KEY can be provided instead of Authorization Bearer JWT header

Security Scheme Type API Key
Header parameter name: x-rainbow-api-key

Basic

User authentication

Basic <base64encode(userLogin:userPassword)>

Security Scheme Type HTTP
HTTP Authorization Scheme basic

Authentication

Validate user JWT

This API allows to get a validation status on a token.

header Parameters
accept
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "status": "OK"
}

Login user

This API allows Rainbow users to login.

The application is also authenticated during the user login.

If login is successful and multi-factor authentication isn't activated for user (or activated but not configured), the API returns a JSON Web Token (<abbr title="JSON Web Token">JWT) which has to be provided by clients for all Rainbow APIs requiring user authentication:

  • The JWT is valid only for a given time period.
  • The JWT can be renewed a few times using API GET /api/rainbow/authentication/v1.0/renew.
  • The maximum number of renew is given in the JWT payload, as well as the current number of time the token has been renewed (see below).
  • Once the JWT expired, or if the maximum of token renew has been reached, user must login again using this API.

The JWT returned contains the following data in payload:


{
    "countRenewed": 0,  // Number of times the token has been renewed
    "maxTokenRenew": 5,  // Number of times the token can be renewed
    "user": {
        "id": "572756967bfbca0d0e09a6b4",  // Logged in user id
        "loginEmail": "user@company.com"  // Logged in user loginEmail
    },
    "app": {
        "id": "598983029db9b5b14693a6f0",  // Application id used for the authentication
        "name": "My App"  // Application name
    },
    "iat": 1463588327,  // (Issued At) Time at which the JWT was issued
    "exp": 2183588327  // (Expiration Time) Expiration time after which the JWT won't be accepted
}

If the login / password combination is wrong, an error 401 is return (errorDetailsCode 401500).
If the appId / appSecret combination is wrong, an error 401 is return (errorDetailsCode 401500).

The following login protection is implemented:

  • After a given number of login failure (5 by default), the user account is locked for a given time period (60 min by default).
  • As long as the maximum number of login failure has not been reached, a 401 error with errorDetailsCode 401500 is returned.
  • Once the maximum number of login attempts has been reached, a 401 error with errorDetailsCode 401501 is returned: the user account is locked for the given time period.
  • While the user account is locked, the same response with errorDetailsCode 401501 will be returned for each new login attempt for this user account (even if a good login / password combination is provided). If the login / password combination is wrong, the locked time period restarts from this new wrong attempt.
  • Once the locked time period is over, a login with the good credentials will be allowed.
  • While the account is locked, the user can reset his password. In that case, his account will be unlocked and he will be able to login with his new password.
  • While the account is locked, a superadmin / support / admin (organisation or company level) user can set a new password for this account. In that case, this account will be unlocked and the user will be able to login with this new password.

If multi-factor authentication is activated for the user and enabled, depending on the configuration of selected policy the API may return a JSON Web Token (<abbr title="JSON Web Token">JWT) which has to be provided by clients for all Rainbow MFA APIs requiring user authentication:

  • The JWT is valid only for a short given time period.
  • The JWT can't be renewed.
  • Once the JWT expired, user must login again using this API.

The JWT returned contains the following data in payload:


{
   "maxTokenRenew": 0,  // Number of times the token can be renewed
   "user": {
       "id": "572756967bfbca0d0e09a6b4",  // Logged in user id
       "loginEmail": "user@company.com"  // Logged in user loginEmail
   },
   "app": {
       "id": "598983029db9b5b14693a6f0",  // Application id used for the authentication
       "name": "My App"  // Application name
   },
   "mfaType": "totp",
   "iat": 1463588327,  // (Issued At) Time at which the JWT was issued
   "exp": 2183588327  // (Expiration Time) Expiration time after which the JWT won't be accepted
}

Warning

  • login url is case sensitive (lowercase). For example, /Login or /LOGIN won't work.
  • login will be forbidden for a certain delay if too much consecutive wrong password errors occurs, after this user has to request a password change or just wait (see implementation details above).
Authorizations:
header Parameters
x-rainbow-app-auth
required
string

Application authentication

Basic <base64encode(appId:sha256(appSecretuserPassword))> (concatenation of appSecret and userPassword, hashed with sha256)
Ex: Basic bXlBcHA6OUYyMDJCQ0Y5QUM0RDgxRTlDOUM5MTNDNDUzNTE0NDAzNEQzQzdGNUM2OTVBMjVDMkQyOThBQjJDRTJBRkVGNA==

x-rainbow-client-version
string

The client version

The client version is used to verify if the client application has the minimal version required to use the Rainbow servers infrastructure.

If the version of the client is under the configured minimal version, the login is refused and an error 403 is returned (403020).

The minimal version required is set by the Rainbow infrastructure team when needed (for example, when some breaking changes has been added on server side, when a security issue has been identified on client side, ...).

Client version example: 1.75.0

x-rainbow-trusted-appid
string

an id associated to the application which realizes the login operation

This id will be checked to the ones stored in datababase in case of multifactor authentication is activated for the user and configured to be run only for only unstrusted application

accept
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "errorCode": 401,
  • "errorMsg": "Unauthorized",
  • "errorDetails": "User 5c00f9bdcf5d6c01cc8ff4b5 has a Voice Phone license. He is not authorized to log in to Rainbow.",
  • "errorDetailsCode": 401223
}

Logout user

This API allows Rainbow users to logout.

Note: This API must not be called with ApiKey as authentication method.

Authorizations:
header Parameters
accept
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "status": "User user1@company.com successfully logged out",
  • "data": [ ]
}

Renew user JWT

This API allows Rainbow users to renew their JSON Web Token (<abbr title="JSON Web Token">JWT), thus extending the expiration date of their current JWT.

This API requires user to be authenticated with a valid non expired JWT.

If so, a new JWT is returned, with the expiration date starting from now.

Warning:

  • The JWT can only be renewed a given number of times, after this user has to login again to get a new token using API GET /api/rainbow/authentication/v1.0/login.
  • The maximum number of renew is given in the JWT, as well as the current number of time the token has been renewed.
  • This API must not be called with ApiKey as authentication method.
Authorizations:
header Parameters
x-rainbow-client-version
string

The client version

The client version is used to verify if the client application has the minimal version required to use the Rainbow servers infrastructure.

If the version of the client is under the configured minimal version, the JWT renew is refused and an error 403 is returned (403020).

The minimal version required is set by the Rainbow infrastructure team when needed (for example, when some breaking changes has been added on server side, when a security issue has been identified on client side, ...).

Client version example: 1.75.0

accept
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjp7ImlkIjoiNTZjNWMxOWY5NDE0MTc2NTExOWY4OTZjIiwibG9naW5FbWFpbCI6InVzZXIxQGNvbXBhbnkuY29tIn0sImlhdCI6MTQ1NjE1MTYzOCwiZXhwIjoxNDU2MTU4ODM4fQ.FlPLNcWY9pTr0QvMj3RpLZJxtqbbydNnWIEr-B2lc4Y6ea41bqJJ-e10Sk_S-1blnG71E7yT625qrkO-UCc0ywR6lWCylcAUkH7-fvjKQbET2mU-4yuNwTd-sNHGzGabgr4n5xtUSMaDunjDgF1kQDZ-dEFPF5NtbN1rdqZP9tzTXrpZ6rmrW2a1o13-hHl7sxN_FqHr_4u_8AhN4dMKUgG0qRjrc1GMJ88M8idH9zTsejU5YQyJqdYQS9T_fSoFzJtS0rmwNCJMdeF2tXj8YQeTjKAiPXoBwklm5xblHxWeCTz9tqfkw1XeNxSO0pOUmpwdpF8kbwDCCa2rgz1z3A",
  • "mfaRequired": false,
  • "loggedInUser": {
    },
  • "loggedInApplication": {
    }
}