External Authentication Methods and API Users

  • Published on Sep 17, 2024
  • 1 minute(s) read

In v27.0.8+, v28.0.10+, v28.2.3+, and v30+, the system will verify that only one of the authentication methods described in Application Authentication Overview is enabled. 

If an external authentication provider is enabled, you can choose to enable automatic token invalidation. If automatic invalidation is enabled, the system will periodically invalidate API tokens for all users. You can enable this feature by adding the TOKEN_REVALIDATION_ENABLED variable to your “.env” file and setting it to true:

TOKEN_REVALIDATION_ENABLED=true

If TOKEN_REVALIDATION_ENABLED is set to true, the system will invalidate users' API tokens every 12 hours by default. You can change how frequently tokens are invalidated by adding the REVALIDATE_TOKEN_WITH_IDP_SECONDS variable to your ".env" file and entering the desired time period as a number of seconds:

REVALIDATE_TOKEN_WITH_IDP_SECONDS=<time_period_in_seconds>

Setting TOKEN_REVALIDATION_ENABLED to true will impact users who aren’t able to log in to the application using a browser or aren’t able to do so readily, including:

  • API-only users

    • If you have configured your API-only users to the “API User” permission group, you can find a list of those users by going to Users > Permission Groups and clicking on API User.

  • Application users who need continuous access to the API without logging in to the application

    • We don't have a native mechanism in the application or in our database to determine which users fall into this category. You will need to assess the needs of your users to determine if any of them require uninterrupted API access.   

To ensure these users have uninterrupted access to Hyperscience, enter their usernames as a space-separated list in TOKEN_REVALIDATION_EXEMPTED_USERS in your instance's ".env" file: 

TOKEN_REVALIDATION_EXEMPTED_USERS=<permitted_username_1 permitted_username_2>

In other words, the value of the TOKEN_REVALIDATION_EXEMPTED_USERS variable is a list of users who are exempt from invalidation.

If you are upgrading from a version that does not have these security measures, you need to complete the additional steps described in Upgrade Considerations and Known Issues.

Connecting the trainer

If you would like to use the credentials of a local user to connect your trainer to the application, you should not include that user’s username in TOKEN_REVALIDATION_EXEMPTED_USERS. Instead, add the TRAINER_USER variable to your “.env” file, as described in Installing the Trainer.