DreamFactory Authentication and Authorization is designed to accommodate all sophisticated Authentication and Authorization requirements for a modern web and mobile applications. DreamFactory provides extensive Authentication and Authorization features. Single sign-on, user per-application roles, and role-based access are all carefully implemented to provide a secure, robust, and scalable platform for authenticating and controlling user access to all services and resources.
DreamFactory separates administrators from other users. Every DreamFactory instance must have at least one administrator configured at installation. Administrators can log in, use the admin console, perform API calls, do not have roles, and are not required to use API keys for access. Non-administrators are generally the users of the applications running on a DreamFactory instance.
Each application has a unique API key. All non-administrator users are required to use an API key to access the system. Roles are assigned to a user on per-application basis. This enables the flexibility of having a single user with different roles across different applications in the system. Each application can also have a default role assigned. If no role is assigned to a user for an application, then access is controlled by the default application role.
Administrative updates to system resources are instantly reflected across all connections. Most system resources have an active/inactive state. When an administrator deactivates a user, application, role, or service, any further access to that resource is denied. For example, if a user or role is deactivated, any associated session tokens become invalid immediately. If an application is deactivated, any attempted access with that application’s API key is denied. This provides a more secure environment at multiple levels of the API for events like people entering or leaving the company, service abuse, or temporary disablement of system resources.
DreamFactory supports the standard username and password-based authentication, but it can also be provisioned to utilize most common OAuth providers, and even LDAP and Active Directory.
JSON Web Token (JWT)
DreamFactory utilizes the JSON Web Token (JWT) technology at its core for authentication and session management. JWT is a simple JSON based open standard (RFC 7519) for passing claims (session-related data) between client and server in a web environment. These claims are encrypted, digitally-signed, and tokenized using a standard format to make it url safe and usable in a web browser single sign-on context. You can find out more details about JWT and it's implementation here.
Standard Username/Password based Authentication
Like any standard web application, DreamFactory supports simple username/password based authentication. When users successfully sign on to a DreamFactory instance using their username and password or via provisioned OAuth or AD/LDAP services (more on that below), they receive a JWT (token) that contains (encrypted and digitally signed) the identity of the user and the connection. This token is controlled by a configurable renewal and expiration policy and needs to be securely stored on the client. It must be included for all authenticated API usage.
DreamFactory supports authentication using OAuth services. Developers can allow end users to log in with credentials from sites like Facebook, Twitter (yes, OAuth 1.0 is supported!), LinkedIn, Google, and GitHub.
DreamFactory makes it super easy to add OAuth services to your apps without any server-side coding and token handling. The currently supported OAuth service providers are Facebook, Twitter, LinkedIn, Google, GitHub, LinkedIn, Bitbucket, Microsoft Live, Azure Active Directory and we’ll be adding more OAuth providers in the future.
OAuth in a DreamFactory instance works just like other services in DreamFactory. It starts with provisioning an OAuth service using the Services tab in the DreamFactory admin console. While provisioning the service, simply specify your OAuth service details, such as key, secret, redirect url etc., as well as a default role or application specific roles. This role will be used for any users authenticating using your OAuth service.
DreamFactory has built-in support for Active Directory authentication over LDAP. Developers can now provide the ability for their users to sign in using their enterprise/corporate log in credentials. You can easily set up an enterprise app to allow users to sign in using their corporate username and password, eliminating the need for creating and remembering yet another username and password.
AD/LDAP in DreamFactory works just like other services. It starts with provisioning an AD/LDAP service using the Services tab in the DreamFactory admin console. While provisioning the service, simply specify your Active Directory server details such as hostname, base dn etc. as well as a default role or application specific roles. This role will be used for any users authenticating using your AD/LDAP service.
DreamFactory has built-in support for SAML 2.0 Single Sign On. Developers can now provide the ability for their users to sign in using their external SAML 2.0 identity providers (IdP). You can easily set up an app to allow users to sign in using their pre-existing username and password from a SAML 2.0 IdP, eliminating the need for creating and remembering yet another username and password.
SAML 2.0 service in DreamFactory works just like other services. It starts with provisioning an SAML 2.0 service using the Services tab in the DreamFactory admin console. While provisioning the service, simply specify your SAML 2.0 configuration details such as IdP EntityId, IdP SSO service URL, IdP x509cert etc. as well as a default role or application specific roles. This role will be used for any users authenticating using your SAML 2.0 service.
Application API Key
Applications in a DreamFactory instance can represent actual application code hosted on the instance, code hosted elsewhere on another server, or a designation for a native mobile app. Each application gets an API key generated at creation. The API key must be used for all access to the API. The API key can be regenerated by administrative request, however care must be taken that all uses of the old key are updated (i.e. this is more difficult for a key embedded in a native mobile application).
Applications can be given “guest” access by assigning a default role to an application, detailing what resources should be accessible without user authentication. This is useful, if your application has an open “website” or kiosk mode.
Role-Based Access Control
DreamFactory offers granular role-based access control to all services and resources in the system. SQL databases have various tables, NoSQL databases have collections of documents, and File Storage Systems have different folders. In a DreamFactory instance, administrators can define roles with role-based access controls to govern which of these components are visible to a given user, along with HTTP verbs such as GET, POST, PUT, PATCH or DELETE that govern access. Various combinations of these verbs and service resources can be used to grant or deny access.
Role-based access controls allow information to be hidden from certain roles and their assigned users or applications. For example, individual sales people might not have access to salary information, while this data might be available to managers. This capability prevents accidental data loss or disclosure of sensitive information.
Record-Level Access Control
Roles can be customized further with server-side filters to implement record-level access control. Each filter takes the form of a "field operator value" equation that must be true to enable access. The record-level access controls can impose constraints on external data sources. For example, you can limit data visibility only to records that the user created. This feature provides fine-grained security control of data sources.
DreamFactory also offers lookup keys to inherit more complex permissions from a SQL database. You can configure server-side lookup keys to connect a user or role to the corresponding user or role on a remote database. This allows DreamFactory to mimic existing database access control, or change them as needed for mobile deployments.