Unlike the versions before 2022, when basic authentication was (kind of) enabled by default, now the situation is quite different.
- Basic authentication now "lives" in the context of a trusted application.
- Basic authentication must be explicitly enabled per trusted application.
- Authentication via
/Login
(and/Logout
) endpoints (a.k.a. ErpSession) is now treated as basic authentication. - Domain API access via ErpSession must corresponds to a specific trusted application.
- Trusted applications with system user set as the built-in <SYSTEM> account don't allow basic authentication.
Does this change affect me?
Yes it does if,
- You are using basic authentication, not bound to a specific trusted application.
- Your trusted application is not configured to meet the requirements:
- Allows basic authentication.
- Have a specific system user set.
What to do if this change affects me?
Depending on the particular case, may be necessary:
- To create a trusted application, corresponding to your external one.
- To configure an existing trusted application (e.g. to allow basic authentication).
- If using ErpSession, to specify the exact trusted application uri in the body in your
/Login
POST request. E.g.,{
"user": "developer",
"pass": "a-very-strong-password",
"app": "my-external-app"
}
---
More information is available in our official documentation:
https://docs.erp.net/dev/topics/authentication/authentication-flows.html#basic-authentication
0 Comments