-
Notifications
You must be signed in to change notification settings - Fork 2
Authentication and authorization
Pedro Guimarães edited this page Dec 4, 2015
·
9 revisions
The basic idea behind this is to provide minimum security restrictions to avoid harmful use of the API. This depends on two basic premises:
- Authentication - Ensure a user is who he says he is. This is provided by regular e-mail/password identification.
- Authorization - Ensure a user only has access to the things he is allowed to access. This is granted by the token verification and the differentiation between user roles/states.
This means that the API depends on a user access system. Users must go through the following process if they intend to access all data provided:
- Create an account (register)
The users interested in using the API should request a user account by registering with an e-mail as user name and a valid password.
- Wait for authorization
After registration, you might try to login and, if the admin has not yet authorized your recently created account, you will receive this message upon logon:
Unauthorized user. API admin must authorize your account in order to enable your access to tokens.```
3) Login
You must [login](https://gbif.sibbr.gov.br/api/v1.2/login) with the e-mail and password you provided upon registration.
4) Fetch valid token
Each access to data queries should include a **token**. This token is a SHA256 hash that is generated by the system.
When your account is authorized by the admin, you will see a small dashboard with your valid token:
Login success. Access token: 8cf7e57b6859d5f6d6e70f29e9c267214acc4ecd961a8255903d5ab2bdf5149e
5) Use token as parameter in every query
When querying for data, the user token must be provided in order to ensure that there is no unauthorized access to the system. Each token is associated with a single user and, like this, it is possible to have fair control over the queries made to the API, granting basic security.
So, for example, for a list of all resources available, a user should do:
When your account is authorized by the admin, you will see a small dashboard with your valid token:
```curl -k -X GET https://gbif.sibbr.gov.br/api/v1.2/recursos?token={VALID_TOKEN}```
Or just type that URL in your preferred browser:
``` https://gbif.sibbr.gov.br/api/v1.2/recursos?token={VALID_TOKEN} ```