Skip to main content
Skip table of contents

Username/password

When creating an account, a username and password combination can be associated with the account (whether an API Key was generated for the account or not). To do so, specify the “username” and “password” properties in the API request, for example:

NONE
curl -k --location --request POST 'https://<hostname>/v2/management/accounts' \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  --header 'Authorization: apk 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3' \
  --data-raw '{
    "username": "some-username",
    "password": "some-password",
    "generate_api_key": false
     "is_admin": true
}'

The is_admin property will create the account with admin privileges. Remove this property to create an account without admin privileges.

The username and password combination can then be used to login via the UI, or to fetch a temporary access token valid for 24 hours. To do so, call the ‘login’ API endpoint:

NONE
curl -k --location --request POST 'https://<hostname>/v2/login' \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json'  \
  --data-raw '{
    "username": "some-username",
    "password": "some-password"
}'

A response should be received similar to the lines below:

NONE
{
    "access_token":"eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGlndy1zZXJ2aWNlcy1hcHAiLCJzdWIiOiI4IiwiZXhwIjoxNjYyNTUyMzI3LCJpYXQiOjE2NjI0NjU5MjcsInVzZXJuYW1lIjoic29tZS11c2VybmFtZSJ9.Cx_hGU9noyWS6mtK6gjsA85FTgJRQgyJizR5t_akNps",
    "token_type":"Bearer",
    "expires_in":86400
}

The access token can be used as HTTP Authorization request header with type Bearer. A cURL example using the access token retrieved above would appear as:

NONE
curl --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGlndy1zZXJ2aWNlcy1hcHAiLCJzdWIiOiI4IiwiZXhwIjoxNjYyNTUyMzI3LCJpYXQiOjE2NjI0NjU5MjcsInVzZXJuYW1lIjoic29tZS11c2VybmFtZSJ9.Cx_hGU9noyWS6mtK6gjsA85FTgJRQgyJizR5t_akNps'

The password for an account can be updated with the change_password API endpoint, passing in both the old and new passwords, such as in this example:

NONE
curl -k --location --request POST '<hostname>/v2/management/accounts/3/change_password \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json'  \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGlndy1zZXJ2aWNlcy1hcHAiLCJzdWIiOiI4IiwiZXhwIjoxNjYyNTUyMzI3LCJpYXQiOjE2NjI0NjU5MjcsInVzZXJuYW1lIjoic29tZS11c2VybmFtZSJ9.Cx_hGU9noyWS6mtK6gjsA85FTgJRQgyJizR5t_akNps' \
  --data-raw '{
      "old_password":  "some-password",
    "new_password": "new-password"
}'

Following security best practices, the password is not stored on DCT and cannot be retrieved. If the password has been lost, an account with admin privilege can reset the password for a particular account. It is recommended to change the password reset by an admin account on the first login, or with the change_password API, as described above.

NONE
curl -k --location --request POST '<hostname>/v2/management/accounts/2/password_reset' \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json'  \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGlndy1zZXJ2aWNlcy1hcHAiLCJzdWIiOiI4IiwiZXhwIjoxNjYyNTUyMzI3LCJpYXQiOjE2NjI0NjU5MjcsInVzZXJuYW1lIjoic29tZS11c2VybmFtZSJ9.Cx_hGU9noyWS6mtK6gjsA85FTgJRQgyJizR5t_akNps' \
  --data-raw '{
    "new_password": "new-password"
}'

In the above example, the admin is resetting the password of an account with id 2 to “new-password”.

Password policies

The password policy feature allows users to enable and customize the password policy enforced for local username/password authentication (does not apply to LDAP/Active Directory or SAML/SSO based authentication).

Understanding password policies

The password policy is a set of requirements that local passwords must satisfy. 

  • min_length: A password must be longer than this length.

  • reuse_disallow_limit: The user should not reuse old passwords. This tells the number of last used passwords disallowed to be reused as the new passwords.

  • uppercase_letter: A password must have at least one capital letter.

  • lowercase_letter: A password must have at least one lower case letter.

  • digit: A password must have at least one digit.

  • special_character: A password must have at least one special character, such as #, $, !

  • disallow_username_as_password: A password should not be the same as the user name.

  • maximum_password_attempts: The number of allowed attempts for incorrect password, after which the account gets locked.

Default password policy

By default, DCT does not enforce any password policy.

Changing the password policy

To change the current password policy, call the password policy API endpoint, as shown in the example below:

NONE
curl --location --request PATCH 'https://<hostname>/v2/management/accounts/password-policies' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>' \
--data-raw '{
	"enabled": true,
	"maximum_password_attempts": 2,
	"min_length": 5,
	"reuse_disallow_limit": 3,
	"digit": true,
	"uppercase_letter": true,
	"lowercase_letter": true,
	"special_character": true,
	"disallow_username_as_password": true
}'

Changing the password policy does not affect existing passwords.

Disabling local username/password authentication

Username/password authentication (with passwords locally in DCT) can be disabled for individual accounts by not setting or unsetting their password property, or across the DCT instance using the global properties API. Disable username/password authentication to force authentication to use an alternate authentication method (LDAP/Active Directory, SAML/SSO, etc.) as shown in this example:

NONE
curl --location --request PATCH 'https://<hostname>/v2/management/properties' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>' \
--data-raw '{"disable_username_password": true}'
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.