CUDOS Platform

Appearance

Authentication & Authorization

A core goal of the platform is to reduce the authentication and authorization effort for the individual application as much as possible. In addition, it is recognized that the requirements regarding authentication and authorization vary greatly between different applications.

The platform supports the following authentication use-cases:

  • SSO/OAuth login for internal users
  • SSO/OAuth login for users of different organizations
  • Anonymous/Public Access
  • Accounts with username/password authentication
  • Service Principals for
    • access from external systems
    • user authentication via browser

Retrieving information about the authenticated principal

The platform provides the api/gw/platform/principal endpoint, which returns information about the authenticated principal. For example:

json
{
  "principalId": {
    "type": "ACCOUNT",
    "id": "59"
  },
  "displayName": "Account John Smith",
  "accountId": 59,
  "personName": "John Smith",
  "email": "john.smith@acme.com"
}

It can be used from the fronten or the backend.

Using service principals for access application backends from external systems

Create a service principal and a header-token. Add the service principal as user of an application. Then you can create a request as follows:

bash
curl https://my-app.app-platform.cudos.ch/api/my-endpoint -H "Authorization: Bearer SP:385:35e..."

Note that the service principal has access to all endpoints of the application. Make sure to use appropriate authorization checks in your backend.

Using service principals to access an API from external systems

Create a service principal and a header-token. Add the service principal as user of an API and enable external access under permissions. Then you can create a request as follows:

bash
curl https://app-platform.cudos.ch/api/gw/my-api -H "Authorization: Bearer SP:385:35e..."

Using service principals to access an application

Sometimes it is useful to be able to just send a link to a third party and have the receiver beeing able to use an application. This can be achieved by creating a service principal and a 'query token`. Add the service principal as user for the application.

Then copy an URL from your application and append the ?$auth=SP:58:92f... query parameter to it. For example, https://my-app.app-platform.acme.com/ becomes https://my-app.app-platform.acme.com/?$auth=SP:58:92f.... Using this link, an authentication cookie will be set which will allow the user to access all pages from your application.