Page 1 of 1

API Authentication Methods

Posted: Tue Sep 05, 2023 6:59 pm
by soesoftware
There are three different Authentication Methods for Forma's API:
- Single code platform
- Token generation at every connection
- Authorization Secret Key

The API documentation, from what we can tell, only describes one of the methods, but we aren't sure which one it's describing. Can anyone define/explain all three methods and how they work?

Below is the section from the API documentation about authentication for reference:
2 AUTHENTICATION API
This is the authentication procedure for Forma REST API.
The system is based on a pair of keys called: key and secret
The “key” one will be (clearly) exchanged among the systems, while the “secret” will be used to create the concatenation parameter. The call will be executed as described, but in its header must be added the X-Authorization parameter as follows:
X-Authorization: FormaLMS <code>
To obtain the “<code>” value (that must be concatenated after the “FormaLMS” string) it is requested to proceed as follows:
create sha1 encoding of this concatenation: post values in the list and separated by comma, the comma itself, the secret key (“secret”)
generate the "<code>" through a base64 encoding of the “key” concatenation and with the “:” element, plus the token previously generated.

EXAMPLE

$codice_sha1 = strtolower(sha1(implode(',', $params) . ',' . $secret));
$codice = base64_encode($key . ':' . $codice_sha1);

additional header row for post call:
'X-Authorization: FormaLMS '. $codice


2.1 /api/auth/authenticate
Check if valid username and password are provided and returns the authentication token required for single sign on.
PARAMETERS

Name Type Description
username string
password string


EXAMPLE

Input
username=admin&password=password

Output
<XMLoutput>
<success>true/false</success>
<message>You are authenticated.</message>
<token>string</token>
<expire_at>date</expire_at>
</XMLoutput>

Re: API Authentication Methods

Posted: Tue Sep 05, 2023 8:48 pm
by alfa24
Those are not authentication methods, but parameters (not to be provided to the API).
As far as I know, there is only one Auth method and it's the one described in the reference.
If you search the forum, you'll find several related topics.