Tempus ExDocumentation

FusionFeed

Authentication
Limits
Data
FQL
GraphQL
REST

Authentication

Authentication can be done in two ways:

  • Via a long-lived API key and the "Authorization: token" HTTP header.
  • Via a JSON web token (JWT) and the "Authorization: Bearer" HTTP header.

API Key Authentication

If you've received an API key from us, it should be provided in requests to FusionFeed via HTTP header:

Authorization: token MY_API_KEY_TOKEN

JWT Authentication

JWTs are not generated by FusionFeed. In OAuth terms, FusionFeed is a resource server, and an external identity provider is required to generate JWTs for use by FusionFeed.

Once a JWT is obtained, it should be provided in requests to FusionFeed via HTTP header:

Authorization: Bearer MY_JWT_TOKEN

Identity Providers

Okta

If you have an authorized Okta client or user, you can authenticate using it.

To authenticate using Okta, you need a client id and a registered redirect URI.

Authentication follows standard OAuth2 protocols. For example, you can initiate the process by sending the user to a URL like the following:

https://tempus-ex.okta.com/oauth2/v1/authorize?client_id=MY_CLIENT_ID&redirect_uri=MY_REDIRECT_URI&response_mode=fragment&response_type=code&scope=openid%20profile%20email&state=MY_STATE&nonce=MY_NONCE&code_challenge=OJe_9d1N_63e65FgxSC193eR19QC5i2gJ1b2BMnLk-0&code_challenge_method=S256

The user will be prompted to sign in, and will then be sent to the redirect URL, which will have a code added to it. That code can be used to obtain an id token which can be used with FusionFeed:

curl -X POST 'https://tempus-ex.okta.com/oauth2/v1/token' -H 'Content-type: application/x-www-form-urlencoded' --data-urlencode 'code_verifier=this_is_the_randomly_generated_pkce_verifier' --data-urlencode 'client_id=MY_CLIENT_ID' --data-urlencode 'grant_type=authorization_code' --data-urlencode 'redirect_uri=MY_REDIRECT_URI' --data-urlencode 'code=MY_CODE'

Okta provides SDKs that can be used to simplify this process for common platforms and frameworks.

Amazon Cognito

Amazon Cognito can also be used as an identity provider.

To authenticate via Cognito, you need the following:

  • A client id
  • A username
  • A password

Using the AWS CLI, you can authenticate with a command like this (after replacing MY_CLIENT_ID, MY_USERNAME, and MY_PASSWORD):

aws \
  --region us-east-1 \
  cognito-idp initiate-auth \
  --auth-flow USER_PASSWORD_AUTH \
  --client-id MY_CLIENT_ID \
  --auth-parameters 'USERNAME=MY_USERNAME,PASSWORD=MY_PASSWORD'

If this is your first time authenticating, you'll be challenged to change your password. The command to do so looks like this:

aws \
  --region us-east-1 \
  cognito-idp respond-to-auth-challenge \
  --client-id MY_CLIENT_ID \
  --challenge-name NEW_PASSWORD_REQUIRED \
  --session MY_SESSION \
  --challenge-responses 'USERNAME=MY_USERNAME,NEW_PASSWORD=MY_NEW_PASSWORD'

After a successful authentication, you'll be given a JSON response that contains an id token. That id token is the JWT that should be used in requests to FusionFeed.

Custom Identity Providers

The power of using JWTs really comes into play when you want your existing userbase to be able to make requests directly to FusionFeed. You can use your own servers to generate tokens for your users, with fine-grained access control policies embedded in the tokens themselves. If you're interested in this, please contact support.

GitHubThis site is open source!

See something that could be improved? Open a pull request on GitHub.

Pull RequestContribute to This Page

On This Page

Authentication
API Key Authentication
JWT Authentication
Identity Providers
Okta
Amazon Cognito
Custom Identity Providers