API Authentication Modes

Applicable Product:

Peoplefluent Learning

 

Applicable Version:

All Versions

 

Summary:

Each API function utilizes one of the three authentication modes described below. The API function reference indicates the appropriate mode for each specific API function.


User Authentication

When calling a function that uses user authentication, the caller must authenticate using
PeopleFluent LMS user account. In general, the result of calling a function that requires user authentication will depend on the permissions of the LMS user account that the caller uses to authenticate. The caller can authenticate in either of the two ways listed below.

  • The caller can supply the user ID and password of the user account using HTTP basic access authentication. This technique is generally appropriate for callers that are not browser-based—for example, for server-to-server calls, or for desktop or mobile clients.
  • The caller can include a standard LMS session cookie in the request. This technique is appropriate for browser-based callers (for example, asynchronous JavaScript with XML/JSON) assuming that the user has already logged into the LMS via the browser.

 

System Authentication

When calling a function that uses system authentication, the caller must supply a global system password using HTTP basic access authentication

The value of the password is configured in the WEB-INF/conf/ekp.properties configuration file using the authentication.key property. PFL hosted clients can request this value and can be configured with a desired value from the support team

In System Authentication, the LMS ignores the value of the supplied user name. However, some client and server software will not forward the credentials if the user name is empty; for this reason, we recommend supplying an arbitrary non-empty value for the user name.


Not Required

Some API functions provide access to public data that does not require authentication. Note that the function might still return additional information if the user is authenticated (using either of the two techniques described for user authentication above); however, the function is expected to return some useful result even if the user is not authenticated.

 

Note: When using HTTP basic access authentication, credentials are passed in what is essentially clear text. Therefore, the caller should always use SSL/TLS when sending credentials using basic access authentication.

Was this article helpful?

0 out of 0 found this helpful