Logging In

The JSON API offers the option of a stateless, sessionless approach to logging in, involving sending the authentication data with each request to the server.

Information about including the username and password will be described in each API entry in this documentation. However, if you are using guest access, or if a session is already established, then you can ignore those fields and it will use the existing authenticated session.

Alternatively, you can also use the VERIFYLOGIN.ASPX page in order to start a new session programmatically.

Verify Login API

To start an authenticated session with any WorkflowFirst application, you can perform an HTTP GET on the URL verifylogin.aspx. This takes the following URL parameters:

  1. USERNAME - the username of the user logging in.
  2. PASSWORD - a base64-encoded version of the user's password. The password can also be AES encrypted, please see below for details.
    The following parameters are optional:
  3. EXTRA - Optional. This is an additional 2-factor authentication code that will be passed into any custom authentication script, if required. 
  4. TZ - Optional. The timezone identifier of the user's location. This is used to present date/times in the system in the local time of the user.
  5. PATH - Optional. Optionally provide an XPath into the system. The user will only be authenticated if they have permission to access this path.

This will return a simple HTTP text response, of either ERR: if there is an error, or OK: if the credentials authenticated successfully.

Encrypting the password

For additional security, the password can optionally be encrypted using symmetrical AES encryption. You must pass in the current time, encoded into a long integer as the number of milliseconds since January 1st 1970, into a parameter called ts. You should also add enc=1 to the URL. The password should be encrypted by this number concatenated with the username in upper-case, and then converted to base64 and URI-encoded. The AES algorithm that must be used is the Rijndael algorithm. For the IV data, please contact us.

Note: The time is added to the encryption key in order to make it harder to crack, as the key becomes invalid a few seconds after it is generated.

Next Topic:
© Copyright 2024, WorkflowFirst LLC
v4.2.0.956 (beta)
Up Since 2/29/2024 12:02:23 AM