REST API Authentication Token

Setup, Configuration and Use Installation
, ,
1

I am using OPenHAB 4.0.4 and would like to secure the REST API with an authentication token. This is now also working. However, I noticed the following on the way there:

  • There is no reference to the “Scope” in the documentation. What effect does this parameter have?
  • The text is missing in the documentation for “System Services” and “API Security”. Also for all other services.
  • My REST API was freely accessible despite the token. Only after some searching did I find out that “Settings > System Services > API Security > Implicit User Role” apparently needs to be deactivated.
  • When displaying a sitemap, I now receive an error message “SSE subscription failed (401 Unauthorized)”. However, the sitemap should still be accessible without logging in.

How can I restrict protection to the web services using a token?

2

The scope is authentication. Those parts of the API that require authentication will require the token.

We are always looking for volunteers to help with all aspects of OH.

Only those parts of the REST API were accessible that are required to drive the UIs for non-admin users were accessible. This includes pages, Sitemaps, items and persistence.

Well of course. By disabling the implicit user role, you now must authenticate to access any part of the REST API now. All the OH UIs work by calling the REST API.

You cannot require authentication for all parts of the API except Sitemaps. That’s why the implicit user role setting exists. It allows unauthenticated users to access only those parts of the API required to use Sitemaps or pages.