Authenticating to Midaz
This guide explains how to authenticate to the Midaz platform using Postman, leveraging OAuth 2.0 integration with the Casdoor authentication module. The steps cover using various OAuth flows, generating access tokens, and validating them.
Getting Started with Postman
Use our Postman collection to test the main authentication models integrated with Midaz. This collection supports various OAuth 2.0 flows such as:
Authorization Code
Client Credentials
Implicit Grant
Refresh Token
The collection also provides endpoints for token verification, ensuring the validity of the issued tokens. This is essential for maintaining session security and user experience continuity.
Authentication Methods
Authentication can be performed using any of the OAuth grant types available in the Postman collection. For demonstration, we will use the Authorization Code Grant method.
Standard Users
To streamline the testing process, default users are pre-configured in Casdoor with different roles and permissions. Below is a list of these roles and their associated permissions:
| Role | Permissions | Users |
|---|---|---|
Admin | Full access to all HTTP and gRPC endpoints | user_john user_kate user_lisa |
Developer | Permission to perform GET, POST, UPDATE, and PATCH operations on HTTP endpoints | user_bob user_kate user_john |
GRPC | Permission to call all mapped gRPC methods | user_bob user_john |
User | Read-only access (GET) to HTTP endpoints | user_mike |
Default password
The default password for all users is Lerian@123.
You can also create new users via the Casdoor Signup page or by using the available endpoints in Swagger.
Casdoor Documentation
For more information about managing users in Casdoor, refer to the official Casdoor documentation.
Generating an Access Token
To generate an access token, the authentication module must be running. To ensure the module is up, follow the steps on the Getting started page.
Once the module is running, perform the following steps:
From the main Midaz page in Postman, go to the "Authorization" tab.
Scroll all the way down and click the "Get New Access Token" button.
A window will open for you to log in using one of the usernames from the user list and the default password.
Once the token is created, a success message will be displayed.
Click on the "Proceed" button to continue or wait for the message to close.
The "Manage Acess Tokens" window will open.
From there, click the Use Token button.
The generated token will be stored in the token section, and you can select it for future use. The token expiration date will also be displayed.
Send a Postman request to execute the Pre-Script. This will save the token to the "
access_token" environment variable, which will be used in the endpoint call.The response may display an error, but that is expected as its purpose is to save the token.
Once saved, the token will be available to use in subsequent requests.
Verifying Token Authenticity
To verify the authenticity of a token, follow these steps:
Ensure the authentication module is running (follow the setup guide on the Getting started page if needed).
Populate the
access_tokenenvironment variable with the token to be verified.Send a request to the Verify Token endpoint.
The response will include a field named
active, which indicates whether the token is valid or expired.
Authorization
Authorization is handled using Casbin, comparing the incoming request data with the permissions stored in the database. Any authorization errors follow the Error List.
Open Source vs. SaaS
The Midaz SaaS offering supports ABAC (Attribute-Based Access Control) and multi-tenancy for fine-grained authorization. In contrast, the open-source version uses a simpler RBAC (Role-Based Access Control) and single-tenancy model. This simpler model makes it easier to configure for general users while reserving more advanced features for the SaaS platform.
Last updated