Skip to content

Admin Interface: Authentication

Authentication in modern web applications isn't always straightforward. Obviously, when you log in, you do so as a user. We also have groups, which can affect what you're able to access. But, actual authentication usually boils down to what tokens you have.

There are many, but two are most important: Knox and OAuth tokens.

Knox

The Auth Tokens page lists every active Knox token issued by the server. These are created automatically by the server when a user logs in. On this page, you can:

  • View the user, creation time, and expiry for each token.
  • Revoke tokens to force re-authentication across clients and API uses.

Tokens cannot be added or edited from the admin UI.

To revoke a token:

  1. Select the tokens to revoke (usually all tokens for a user).
  2. In Action, choose Delete selected auth tokens, and click Go.
  3. The affected user(s) must log in again. Existing client sessions will stop working immediately.

OAuth

The "Django Oauth Toolkit" section is for applications that want to use the Enterprise server itself as a source of authentication. If you are trying to set up SSO to the Enterprise server, you'll want to see the Config page instead.

An example of this is the bundled WARP service, if you've deployed it. When the Enterprise server starts up for the first time, it will configure the WARP service as an OAuth "application". When users sign into WARP from the Enterprise server, "access tokens" will be created for them in the Enterprise server to facilitate linking the accounts together.

In general, you shouldn't need to touch any of this. But, in case you do, there are currently 5 pages to view and modify this data:

  1. The Applications page lets you view, modify, add, and remove applications that may use the Enterprise server as an authentication provider.
  2. The Access Tokens page lets you view, modify, add, and remove access tokens generated for users on a per-application basis.
  3. The Refresh Tokens page lists refresh tokens that allow long-lived sessions, which may be revoked to force an application to re-authenticate.
  4. The ID Tokens page shows OpenID Connect ID tokens issued to applications that requested openid scope.
  5. The Grants page lists active authorization codes that haven't been exchanged yet (usually, you won't need to change these).

To add your own application:

  1. Go to Applications -> Add application.
  2. Set a Name and choose the Client type (Confidential for server-side apps; Public for single-page/native apps).
  3. Set Authorization grant type (use Authorization code with PKCE for most integrations).
  4. Enter one or more Redirect URIs (one per line).
  5. Save. A client ID and (for confidential clients) client secret will be generated for you.