The GoodData authentication API provides access to the GoodData’s token-based authentication. It uses two distinct tokens to authenticate a user. The first one, called Super-secure token is valid for whole session while the second (so called Temporary token) has a more limited lifespan.
Typically, you only use Temporary token to access resources and refresh them using Super-secure token once it expires.
Login action is the process of obtaining a Super-secure token via GDCAuthSST cookie in response to POST to request to /gdc/account/login resource.
This is how would you request the token with curl:
$ curl --cookie-jar cookies.txt \
--data-binary @- \
--header 'Accept: application/yaml' \
--header 'Content-Type: application/json' \
https://secure.gooddata.com/gdc/account/login <<EOR
{
"postUserLogin" : {
"login" : "user@example.com",
"password" : "S3kr1TZ",
"remember" : "0"
}
}
EOR
---
userLogin:
profile: /gdc/account/profile/409
state: /gdc/account/login/409
You can now look into cookies.txt to check the cookie you’ve obtained. Note that its path would be set to /, so it will now be sent with each request. This will be fixed in future releases.
To obtain the Temporary token, send a GET request to /gdc/account/token. You’ll get an empty response with GDCAuthTT cookie:
$ curl --cookie cookies.txt \ --cookie-jar cookies.txt \ --header 'Accept: application/yaml' \ https://secure.gooddata.com/gdc/account/token --- ''
Once you have the Temporary token, you can access the rest of the API.
$ curl --cookie cookies.txt \
--header 'Accept: application/yaml' \
https://secure.gooddata.com/gdc/md
---
about:
category: MD
links:
-
category: status
link: /gdc/md/status
summary: Status of this resource
title: status
-
category: config
link: /gdc/md/config
summary: Apache settings for this resource
title: config
-
category: project
identifier: FoodMartDemo
link: /gdc/md/FoodMartDemo
summary: FoodMartDemo001
title: FoodMartDemo
...
summary: Metadata Resources
Note that once the Temporary token expires you’ll get a response with status code 401. In that case just need to re-request it by visiting /gdc/account/token and repeat the failing request.
The WWW-Authenticate header specifies that you’ll expected to authenticate via GoodData mechanism, indicating whether you need to refresh a Temporary Token (cookie=GDCAuthTT), or you need to log in get a new Super-secure Token (cookie=GDCAuthSST). Add -v option to curl to see the headers:
$ curl -v --cookie cookies.txt \ --header 'Accept: application/yaml' \ https://secure.gooddata.com/gdc/md ... < WWW-Authenticate: GoodData cookie=GDCAuthTT ... <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> ...
User Agent header must be the same for the SuperSecure token retrieval and the Temporary token refresh.
See the login methods in the GdcRESTApiWrapper.java for a real-world example of authentication API implementation in Java.