DreamFactory provides very extensive Authentication and Authorization features. Single sign-on, user per-application roles, Role-Service access are all carefully implemented to provide a secure, robust, and scalable platform for authenticating and controlling user access to all services and resources.
DreamFactory separates administrators from other users. Every DreamFactory instance must have at least one administrator configured at installation. Administrators can login, use the admin console, perform API calls, do not have roles, and are not required to use API keys for access. Non-administrators are generally the users of the applications running on a DreamFactory instance. Each application has an unique API key. All non-administrator users are required to use an API key to access the system. Roles are assigned to a user on per-application basis. This enables the flexibility of having a single user with different roles across different applications in the system. Each application can also have a default role assigned. If no role is assigned to a user for an application then access is controlled by the default application role.
DreamFactory supports the standard username and password based authentication, but it can also be provisioned to utilize most common OAuth providers and even LDAP and Active Directory.
- JSON Web Token (JWT)
DreamFactory utilizes the JSON Web Token (JWT) technology at it's core for authentication and session management. JWT is a simple JSON based open standard (RFC 7519) for passing claims (session related data) between client and server in a web environment. These claims are encrypted and tokenized using a standard format to make it url safe and usable in a web browser single sign-on context. You can find out more details about JWT and it's implementation at the following link.
- Standard Username/Password based Authentication
- API Key
- Role Service Access
- Advanced Filters