Validate User Passwords

You can use the entity API endpoint to validate a password attribute in a user schema. When used in this way, the API call makes a hash internally, according to the method specified in the schema, and then compares the hashes.

If successful, entity returns the user schema.

Note: The password is returned encrypted.

If unsuccessful, the call returns error code 350 invalid_password_data.

You can also use these two optional parameters when validating a user password:

Example

This example walks through validating a user password to issuing an Oauth token.

Step 1: Using entity to validate password

This entity call attempts to verify the password for user id 42:

curl -X POST \\
-d id=42 \\
-d client_id=12345678912345678912345678912345 \\
-d client_secret=98765432198765432198765432198765 \\
-d type_name=user \\
-d password_attribute=password \\
-d password_value=test_password_text \\
https://yourdomain.com/entity

If successful, the call returns the user data as JSON:

{
  "stat": "ok",
  "result": {
    "aboutMe": "",
    "currentLocation": "",
    "givenName": "Firstname",
    "familyName": "Lastname",
    "created": "2012-02-21 22:28:08.051847 +0000",
    "statuses": [],
    "id": 1,
    "displayName": "test",
    "uuid": "12345678-1234-1234-1234-123456789123",
    "email": "example@example.com",
    "gender": "",
    "lastUpdated": "2012-07-10 18:13:33.466147 +0000",
    "photos": [],
    "password": {
      "type": "password-bcrypt",
      "value": "$2a$04$nNjwFaa9DQNNOvvQc9Haj.gkIuz.Ls8sj0yFx6ipjDsf7xf4f/u6m"
    }
  }
}

If unsuccessful, the call returns an error code:

{
  "error_description": "incorrect password.",
  "stat": "error",
  "code": 350,
  "error": "invalid_password_value"
}

Step 2: Obtaining an Authorization Token

If a valid password is detected, the next step is to exchange the UUID returned in response for an Authorization Token using the access/getAuthorizationCode call.

An example access/getAuthorizationCode request:

curl -X POST \\
-d client_id=12345678912345678912345678912345 \\
-d client_secret=123456789123456789123456789123 \\
-d type_name=user \\
-d uuid=12345678-4321-1234-12345678912345678 \\
-d redirect_uri=www.example.com \\
https://yourdomain.com/access/getAuthorizationCode

If successful, a token will be returned:

{
  "authorizationCode": "12345678912345",
  "stat": "ok"
}

Step 3: Exchange Code for Token

Once the Authorization Code is returned, it may be exchanged for a token using the oauth/token call. Typically, this exchange is coded into the file defined as the redirect_uri in Step 2.

An example an oauth/token RESTful request:

curl -X POST \\
-d client_id=12345678912345678912345678912345 \\
-d client_secret=123456789123456789123456789123 \\
-d grant_type=authorization_code \\
-d code=12345678912345 \\
-d redirect_uri=www.example.com \\
https://yourdomain.com/oauth/token

If successful, the call returns an OAuth token:

{
  "access_token": "9876543210",
  "expires_in": 3600,
  "refresh_token": "1234567890",
  "stat": "ok"
}