DOCUMENTATION
  • Welcome
  • Releases
    • 2025
      • Release v6.19.2 (2025-04-11)
      • Release v6.19.1 (2025-03-31)
      • Release v6.19.0 (2025-03-27)
      • Release v6.18.2 (2025-03-11)
      • Release v6.18.1 (2025-03-07)
      • Release v6.18.0 (2025-02-26)
      • Release v6.17.3 (2025-02-14)
      • Release v6.17.2 (2025-02-07)
      • Release v6.17.1 (2025-02-06)
      • Release v6.17.0 (2025-01-30)
    • 2024
      • Release v6.16.0 (2024-12-12)
      • Release v6.15.0 (2024-11-27)
      • Release v6.14.2 (2024-11-05)
      • Release v6.14.1 (2024-11-01)
      • Release v6.14.0 (2024-10-31)
      • Release v6.13.3 (2024-10-16)
      • Release v6.13.2 (2024-10-10)
      • Release v6.13.1 (2024-10-02)
      • Release v6.13.0 (2024-09-25)
      • Release v6.12.2 (2024-09-18)
      • Release v6.12.1 (2024-08-01)
      • Release v6.12.0 (2024-07-25)
      • Release v6.11.5 (2024-07-09)
      • Release v6.11.4 (2024-07-05)
      • Release v6.11.3 (2024-07-03)
      • Release v6.11.2 (2024-06-21)
      • Release v6.11.1 (2024-06-14)
      • Release v6.11.0 (2024-06-05)
      • Release v6.10.2 (2024-05-15)
      • Release v6.10.1 (2024-05-08)
      • Release v6.10.0 (2024-04-30)
      • Release v6.9.3 (2024-03-19)
      • Release v6.9.2 (2024-03-15)
      • Release v6.9.1 (2024-03-06)
      • Release v6.9.0 (2024-02-28)
      • Release v6.8.5 (2024-02-02)
      • Release v6.8.4 (2024-02-01)
      • Release v6.8.3 (2024-01-12)
      • Release v6.8.2 (2024-01-05)
    • 2023
      • Release v6.8.1 (2023-12-22)
      • Release v6.8.0 (2023-12-14)
      • Release v6.7.4 (2023-11-15)
      • Release v6.7.3 (2023-11-14)
      • Release v6.7.2 (2023-11-03)
      • Release v6.7.1 (2023-10-17)
      • Release v6.7.0 (2023-10-13)
      • Release v6.6.4 (2023-09-29)
      • Release v6.6.3 (2023-09-28)
      • Release 6.6.2 (2023-09-14)
      • Release v6.6.1 (2023-08-10)
      • Release v6.6.0 (2023-08-03)
      • Release v6.5.1 (2023-06-23)
      • Release v6.5.0 (2023-06-22)
      • Release v6.4.0 (2023-05-31)
      • Release v6.3.1 (2023-04-28)
      • Release v6.3.0 (2023-04-05)
      • Release v6.2.5 (2023-03-16)
      • Release v6.2.4 (2023-02-01)
      • Release v6.2.3 (2023-01-12)
      • Release v6.2.2 (2023-01-12)
      • Release v6.2.1 (2023-01-05)
    • 2022
      • fylr first Production Ready Release 🎉 (2022-12-22)
  • License
  • Plugins
    • Plugin Overview
  • Help
    • FAQs
    • Tutorials
      • For Users
      • For Administrators
        • Exporting & Importing Hierarchical Lists
        • Regenerating preview images
        • Search Text in images or office files
      • For System Administrators
        • How to setup and use IIIF
        • External access: Sharing collections with anonymous users
    • Glossary
  • FOR USERS
    • Getting Started
    • Asset / Records Management
      • Creating Records
      • Editing Records
        • Input Fields
        • Group Editor
      • Deleting Records
    • Quick Access
      • Collections (& Presentations)
      • Saved Searches (& Lists)
    • Lists
  • FOR ADMINISTRATORS
    • Permissions
      • User
      • Groups
      • Object Types
      • Pools
      • Tags & Workflows
      • Presets
    • Tools
      • CSV Importer
        • General Information
        • Options
        • Examples
          • All Data Types
          • Lists
          • Hierarchies
          • Files
      • JSON Importer
        • Step-by-Step Tutorial
          • Write Import Manifest
          • Create Basetype Payloads
          • Create Object Payloads
          • Collection Payloads
          • Optional: Update links between Objects
          • Start Import
      • Permissions Download & Upload
    • Base Configuration
      • General
      • Access
      • User Management
      • Languages
      • Email
      • Export & Deep Links
      • Workflow Webhooks
      • Publications
      • File Worker
        • Preview Configuration
        • Location Defaults
        • Custom .icc Color Profiles
      • Objectstore
      • Services
      • License Management
      • Development
      • Plugins
    • Plugin Manager
    • Location Manager
    • Messages
    • Events
    • Backup Manager
    • Additional Features
      • IIIF
      • Connector
      • Wordpress
      • Zooniverse
      • Protocols
        • OAI/PMH
  • FOR SYSTEM ADMINISTRATORS
    • Installation
      • Linux
        • multiple fylrs in one Linux
        • proxy and fylr
      • Windows
      • Kubernetes
    • Configuration
      • fylr.example.yml
      • fylr.default.yml
      • performance tuning
      • pre-load frontend config
      • Load Custom Plugins
      • HTTP and HTTPS
      • DNS Domains
    • Backups & Restore
    • Migration Tool
      • Create payloads (fylr backup)
      • Insert payloads (fylr restore)
      • Best Practice
      • Using the fylr inspect page
    • Integration
      • Authentication
      • Hotfolder
    • Symptom & Solution
      • Log messages that can be ignored
      • too many clients are connected
      • too many nested clauses
      • context canceled
      • ContainerConfig error
      • Purge objects
    • PostgreSQL versions
  • Tutorials
    • Project Workflow
    • Hotfolder & File System Connect
      • Preparations Before Usage
      • Setting Up An Upload Collection
      • Importing Files
    • PDF Creator
    • Extracting File Metadata Later On
    • Overlay Resource
    • Authentication
      • LDAP
      • SAML
    • Data Model Sync
    • Purge a fylr instance
    • typo3 plugin
    • Use fylr in Google docs via CI HUB
  • FOR DEVELOPERS
    • API
      • OAuth2
      • Endpoints
        • /api/collection
        • /api/config
        • /api/db_info
        • /api/db
        • /api/eas
        • /api/event
        • /api/export
        • /api/group
        • /api/l10n
        • /api/mask
        • /api/message
        • /api/oaipmh
        • /api/objects
        • /api/objecttype
        • /api/plugin
        • /api/pool
        • /api/publish
        • /api/right
        • /api/schema
        • /api/search
        • /api/settings
        • /api/suggest
        • /api/system
        • /api/tags
        • /api/transitions
        • /api/user
        • /api/webdav
        • /api/xmlmapping
    • System Data Types
      • pool
      • file
      • user
      • group
      • pool
      • collection
      • message
      • publish
      • event
    • User Data Types
      • text, text_oneline
      • string
      • text_l10n, text_l10n_oneline
      • boolean
      • number
      • integer.2
      • double
      • date, datetime
      • daterange
      • geojson
    • Custom Data
    • Emails
    • Export
    • Exec server
    • File versions
    • WebDAV
    • Plugin
    • Collection Pin Code
    • easydb 5
    • Localization
    • Access private Repositories
Powered by GitBook
On this page
  • Using the Access Token
  • Header based authentication
  • URL based authentication
  • Configuring Client ID and Secret
  • OAuth2 Flows
  • Authorization Code Grant
  • Authorization Code Grant with PKCE Code Challenge
  • Password Grant
  • Implicit Grant
  • Client Credential Grant
  1. FOR DEVELOPERS
  2. API

OAuth2

fylr uses OAuth2 for authentication.

PreviousAPINextEndpoints

Last updated 1 year ago

User authentication in a fylr instance is only possible by receiving an Access Token using one of the implemented OAuth2 flows.

Using the Access Token

After a successful login of a user, the process will return a response that contains an access_token. This must be used to authenticate all following requests to the fylr API.

Header based authentication

Include the following HTTP header in the request:

"authorization: Bearer <access_token>"

URL based authentication

Include the following parameter in the request URL:

?access_token=<access_token>

Configuring Client ID and Secret

The following descriptions of the different OAuth2 flows use my-client and my-secret as placeholders for configured Client IDs and Client Secrets. Replace these with the required OAuth2 client information of the fylr instance.

These need to be configured in the fylr instance.

Configure the pair(s) of Client ID and Secret in the fylr.yml:

fylr:
  services:
    api:
      oauth2Server:
        clients:
          my-client:
            secret: 'my-secret'
            redirectURIs:
              - http://my-callback-server/oauth2/callback

The default clients in fylr are public and thus do neither need nor have a secret.

OAuth2 Flows

Authorization Code Grant

This flow requires a Client ID and Secret, as well as a fylr login and password for each user. This flow offers a high level of security.

Step 1: client calls fylr

Call the OAuth2 Authentication API of fylr

GET fylr-instance/api/oauth2/auth

Query Parameters

Name
Type
Description

auth_method*

string

fixed value: "auto"

access_type*

string

fixed value: "offline"

scope*

string

fixed value: "offline"

response_type*

string

fixed value: "code"

state*

string

Client State String (min. 8 characters), for example: "Authorization_Code_Grant_Login"

client_id*

string

Client ID of the fylr Instance: "my-client"

This redirects to the fylr login page. The user enters login and password directly into fylr.

Problems with the parameters, for example an invalid Client ID

Step 2: callback from fylr to the local HTTP server

This flow requires to implement a local HTTP server that can handle the callback from fylr. The URL for the callback must also be included in the fylr.yml (redirectURIs) and must be tied to your Client configuration.

fylr calls

my-callback-server/oauth2/callback

This callback must handle a GET request. fylr includes these URL parameters:

Call the OAuth2 Authentication API of fylr

GET my-callback-server/oauth2/callback

Query Parameters

Name
Type
Description

state*

string

Client State, this is to identify the callback. Same as above

code*

string

Authorization Code. This needs to be stored and used in the following requests

Step 3: client validates Authorization Code

Call the OAuth2 Token API of fylr

POST fylr-instance/api/oauth2/token

Query Parameters

Name
Type
Description

grant_type*

string

fixed value: "authorization_code"

state*

string

Client State, same as above

client_id*

string

Client ID of the fylr Instance: "my-client"

client_secret*

string

Client Secret of the fylr Instance: "my-secret"

code*

string

Authorization Code from fylr callback

If the Client ID, Secret and the Authorization Code are correct, fylr will return a JSON object in the response with the following values:

Key
Description

access_token

Access Token

refresh_token

Refresh Token

token_type

"bearer"

scope

"offline", same as above

expires_in

Time until the Access Token expires, in seconds

Authorization Code Grant with PKCE Code Challenge

The Code Verifier is a random string consisting of the characters A-Z, a-z, 0-9, -, ., _, ~ with a length between 43 and 128 characters.

The Code Challenge is the SHA256 hash of the Code Verifier encoded in Base64-URL format.

For Step 1, these parameters are added to the URL:

Parameter
Value
Description

code_challenge

Generated Code Challenge

code_challenge_method

"S256"

fixed value

For Step 3, this parameter is added to the URL:

Parameter
Value
Description

code_verifier

Generated Code Verifier

In this step, fylr (the authorization server) checks if the Code Verifer matches the Code Challenge from Step 1.

Password Grant

This flow can be used to directly log into fylr with the user login and password

Step 1: log into fylr with user login and password

Call the OAuth2 Token API of fylr

POST fylr-instance/api/oauth2/token

Query Parameters

Name
Type
Description

grant_type*

string

fixed value: "password"

scope*

string

fixed value: "offline"

client_id*

string

Client ID of the fylr Instance: "my-client"

client_secret*

string

Client Secret of the fylr Instance: "my-secret"

username*

string

fylr Login of the user

password*

string

fylr Password of the user

Problems with the parameters, for example an invalid Client ID

If the Client ID, Secret and user login and password are correct, fylr will return a JSON object in the response with the following values:

Key
Description

access_token

Access Token

refresh_token

Refresh Token

token_type

"bearer"

scope

"offline", same as above

expires_in

Time until the Access Token expires, in seconds

Implicit Grant

This flow works without a Client Secret. It is not possible to refresh or revoke the Access Token.

Using this flow is not recommended!

Step 1: request a token from fylr

Call the OAuth2 Authentication API of fylr

GET fylr-instance/api/oauth2/auth

Query Parameters

Name
Type
Description

response_type*

string

fixed value: "token"

auth_method*

string

fixed value: "auto"

scope*

string

fixed value: "offline"

access_type*

string

fixed value: "offline"

state*

string

Client State String (min. 8 characters), for example: "Implicit_Grant_Login"

client_id*

string

Client ID of the fylr Instance: "my-client"

Problems with the parameters, for example an invalid Client ID

Step 2: callback from fylr to the local callback

This flow requires to implement a local HTTP server that can handle the callback from fylr. The URL for the callback must also be included in the fylr.yml (redirectURIs) and must be tied to your Client configuration.

fylr calls

my-callback-server/oauth2/callback

This callback must handle a GET request. fylr includes these URL parameters:

Call the OAuth2 Authentication API of fylr

GET my-callback-server/oauth2/callback

Query Parameters

Name
Type
Description

loc_hash*

string

quoted URL parameters

The loc_hash parameter is itself a list of URL parameters that need to be unquoted and split into key value pairs:

Key
Description

access_token

Access Token

token_type

"bearer"

scope

"offline", same as above

state

"Implicit_Grant_Login", same as above

expires_in

Time until the Access Token expires, in seconds

Client Credential Grant

This flow works without a fylr user login and password. The Access Token can not be used to identify a specific user. All fylr api endpoints which require a authenticated user can not be used.

Using this flow is not recommended!

Step 1: request a token from fylr

Call the OAuth2 Token API of fylr

GET fylr-instance/api/oauth2/token

Query Parameters

Name
Type
Description

grant_type*

string

fixed value: "client_credentials"

state*

string

Client State String (min. 8 characters), for example: "Implicit_Grant_Login"

client_id*

string

Client ID of the fylr Instance: "my-client"

client_secret*

string

Client Secret of the fylr Instance: "my-secret"

Problems with the parameters, for example an invalid Client ID

If the Client ID and Secret are correct, fylr will return a JSON object in the response with the following values:

Key
Description

access_token

Access Token

token_type

"bearer"

scope

"offline", same as above

expires_in

Time until the Access Token expires, in seconds

Alternatively, add the Client ID and Secret pair(s) in the .

All of the following flows are implemented in fylr. They offer different levels of security. Each flow requires a different amount of complexity to implement it in your client application. Depending on your needs choose your preferred implementation. We recommend using the or the flow.

External documentation:

External documentation:

This is an extension of the flow. To enhance the security a Proof Key for Code Exchange (PKCE) is included in the requests. All other parameters and keys are the same as in the flow.

The client needs to generate a Code Verifier and a Code Challenge according to the standard.

External documentation:

External documentation:

External documentation:

config file
Base Configuration
https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/
https://www.oauth.com/oauth2-servers/oauth-native-apps/pkce/
RFC7636
https://www.oauth.com/oauth2-servers/access-tokens/password-grant/
https://www.oauth.com/oauth2-servers/single-page-apps/implicit-flow/
https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/
Authorization Code Grant
Password Grant
Authorization Code Grant
Authorization Code Grant