Layer7 API Management

When I searched it in LAC documentation, I always got the Authentication providers docs. Which I understand is for the security of our APIs created via LAC. That's okay. But my use case is mentioned below - 

Suppose I have an e-commerce website, If a user is visiting without doing Sign In That is fine. But when user going to the sign in page - 

1. We will receive the User details (Username & Password). Now our task is to authenticate that user to verify this user is registered with us or not. How I will achieve this with LAC is as mentioned below - 

1. I will take the username & password and I will be having an Endpoint from the LAC which is for a table in my database call "User". With LAC I will be able to find that the user with that username & password does exist or not. But what about the session of that user, what I really want is

          1. Once the user is identified as registered with us, we should return a session token to the client application along with that I should add that token in the user table and should specify its timeout period. So that in the subsequent requests we will get the token from the user in the subsequent request.

In brief what I want (Session management) or what procedure I want to follow in my e-commerce website - 

1. User login in my application with username and password
2. LAC got the username + password and find it in the user table of the database If we got that - User is registered.
3.  We should generate a token, save in the user table with the timeout period of the token.
4. In the next subsequent request, user will send that token we will check its timeout period if it still alive we will serve the client.

I am not sure how I will achieve the step 3 and 4 in the LAC. can you please help?

Thanks in advance. I need it urgently ASAP so that I can implement this thing in my application. Thanks for your cooperation.

Melanie_Giuliani, Bill_Peterson  chewa03 danal03 - Please help ASAP. I need it urgently. Thanks in advance foryourr cooperation. 

LAC offers the functionality that you are describing built-in, using the @authentication endpoint, as documented here:

Obtain an Authentication Token Dynamically During Sign-On

That uses the Built-In Authentication Provider though. If you need to maintain your own list of user names/passwords in your database and manage tokens separately from what is built-in to LAC, you would need to write the javascript to manage all of that yourself. Details on how to create your own custom authentication provider can be found here:

Create Custom Authentication Providers using JavaScript

Bill_Peterson - Again you are explaining what I already mentioned above. What you are explaining is the authentications for our API not for the client application.

How would I maintain the user session as I asked in the question itself?

When you create your authentication provider, you will define how the user token is created, including roles for the given user, additional properties about that user, and the lifetime of the key that is generated:

return {
    errorMessage: null, // Indicates success
    roleNames: ['role1', 'role2'], // This cannot be empty, otherwise the user will have no permissions
    userData: { employeeId: "12345", region: "US-West"}, // Optional: these properties will be attached to the API key
    userInfo: { email: "jdoe@acme.com" }, // Optional: these properties will be returned along with the API key
    keyLifetimeSeconds: 3600, // How long the API should be valid for, 0 for perpetual
    lastLogin: new Date(2013, 11, 31), // Optional: last time user logged in (caution: JS Date has 0-based month)
    lastLoginIP: "12.34.56.78" // Optional : the IP from which the user last logged in
  };

When the user logs in, your application will call the @authentication endpoint, which will return an auth token in the following form:

> curl -d @authrequest.json -H "Content-Type: application/json" http://localhost:8080/rest/default/api/v1/@authentication
{
"apikey": "aaea381a23f2c3289dda59f47cf450bc",
"expiration": "2017-10-09T23:43:30.941Z",
"lastLoginTs": "2017-10-05T23:34:09.867Z",
"lastLoginIP": "0:0:0:0:0:0:0:1"
}

That auth token must be submitted along with subsequent API requests by the client application (in an Authorization header or as a URL parameter). On the API Server side, it remembers that user session, manages timeouts, etc. When the next call comes in, it will look up the user information based on the auth token, see if the token is still valid, and if so, allow the request.

Let me know if this is clear.

-Jaime

kkaus - Did you get success on implementing custom authentication as we are also in need to same?