Username/password
When creating an account, a username and password combination can be associated with the account (whether an API Key was generated for the account or not). To do so, specify the “username” and “password” properties in the API request, for example:
curl -k --location --request POST 'https://<hostname>/v2/management/accounts' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3' \
--data-raw '{
"username": "some-username",
"password": "some-password",
"generate_api_key": false
"is_admin": true
}'
The is_admin property will create the account with admin privileges. Remove this property to create an account without admin privileges.
The username and password combination can then be used to login via the UI, or to fetch a temporary access token valid for 24 hours. To do so, call the ‘login’ API endpoint:
curl -k --location --request POST 'https://<hostname>/v2/login' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data-raw '{
"username": "some-username",
"password": "some-password"
}'A response should be received similar to the lines below:
{
"access_token":"eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGlndy1zZXJ2aWNlcy1hcHAiLCJzdWIiOiI4IiwiZXhwIjoxNjYyNTUyMzI3LCJpYXQiOjE2NjI0NjU5MjcsInVzZXJuYW1lIjoic29tZS11c2VybmFtZSJ9.Cx_hGU9noyWS6mtK6gjsA85FTgJRQgyJizR5t_akNps",
"token_type":"Bearer",
"expires_in":86400
}The access token can be used as HTTP Authorization request header with type Bearer.
This access token should not be confused with ApiKeys. These tokens are short lived tokens and expire at the end of 24 hours.
A cURL example using the access token retrieved above would appear as:
curl --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGlndy1zZXJ2aWNlcy1hcHAiLCJzdWIiOiI4IiwiZXhwIjoxNjYyNTUyMzI3LCJpYXQiOjE2NjI0NjU5MjcsInVzZXJuYW1lIjoic29tZS11c2VybmFtZSJ9.Cx_hGU9noyWS6mtK6gjsA85FTgJRQgyJizR5t_akNps'The password for an account can be updated with the change_password API endpoint, passing in both the old and new passwords, such as in this example:
curl -k --location --request POST '<hostname>/v2/management/accounts/3/change_password \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGlndy1zZXJ2aWNlcy1hcHAiLCJzdWIiOiI4IiwiZXhwIjoxNjYyNTUyMzI3LCJpYXQiOjE2NjI0NjU5MjcsInVzZXJuYW1lIjoic29tZS11c2VybmFtZSJ9.Cx_hGU9noyWS6mtK6gjsA85FTgJRQgyJizR5t_akNps' \
--data-raw '{
"old_password": "some-password",
"new_password": "new-password"
}'Following security best practices, the password is not stored on DCT and cannot be retrieved. If the password has been lost, an account with admin privilege can reset the password for a particular account. It is recommended to change the password reset by an admin account on the first login, or with the change_password API, as described above.
curl -k --location --request POST '<hostname>/v2/management/accounts/2/password_reset' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGlndy1zZXJ2aWNlcy1hcHAiLCJzdWIiOiI4IiwiZXhwIjoxNjYyNTUyMzI3LCJpYXQiOjE2NjI0NjU5MjcsInVzZXJuYW1lIjoic29tZS11c2VybmFtZSJ9.Cx_hGU9noyWS6mtK6gjsA85FTgJRQgyJizR5t_akNps' \
--data-raw '{
"new_password": "new-password"
}'In the above example, the admin is resetting the password of an account with id 2 to “new-password”.
Password policies
The password policy feature allows users to enable and customize the password policy enforced for local username/password authentication (does not apply to LDAP/Active Directory or SAML/SSO based authentication).
Understanding password policies
The password policy is a set of requirements that local passwords must satisfy.
min_length: A password must be longer than this length.
reuse_disallow_limit: The user should not reuse old passwords. This tells the number of last used passwords disallowed to be reused as the new passwords.
uppercase_letter: A password must have at least one capital letter.
lowercase_letter: A password must have at least one lower case letter.
digit: A password must have at least one digit.
special_character: A password must have at least one special character, such as #, $, !
disallow_username_as_password: A password should not be the same as the user name.
maximum_password_attempts: The number of allowed attempts for incorrect password, after which the account gets locked.
Default password policy
By default, DCT does not enforce any password policy.
Changing the password policy
To change the current password policy, call the password policy API endpoint, as shown in the example below:
curl --location --request PATCH 'https://<hostname>/v2/management/accounts/password-policies' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>' \
--data-raw '{
"enabled": true,
"maximum_password_attempts": 2,
"min_length": 5,
"reuse_disallow_limit": 3,
"digit": true,
"uppercase_letter": true,
"lowercase_letter": true,
"special_character": true,
"disallow_username_as_password": true
}'Changing the password policy does not affect existing passwords.
Disabling local username/password authentication
Username/password authentication (with passwords locally in DCT) can be disabled for individual accounts by not setting or unsetting their password property, or across the DCT instance using the global properties API. Disable username/password authentication to force authentication to use an alternate authentication method (LDAP/Active Directory, SAML/SSO, etc.) as shown in this example:
curl --location --request PATCH 'https://<hostname>/v2/management/properties' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>' \
--data-raw '{"disable_username_password": true}'