Authentication
The Ash Console is currently in alpha and not production-ready. It is under active development and subject to breaking changes.
Before interacting with the Ash Console, you need to authenticate yourself. The authentication flow depends on the tool you are using (Ash Console Web UI, Ash CLI, Ash Console API).
During the Console alpha, user accounts are created by the Ash team. If you want to get access to the Console alpha, please contact us!
- Authenticate using the Ash CLI
- Authenticate using the Ash Console API
To authenticate, run:
ash console auth login
The CLI will prompt you an URL and a code to enter in the browser:
Logging in to the Ash Console at https://api.console.ash.center
Please open the following URL in your browser:
https://auth.console.ash.center/realms/jeeo/device
and enter the code: CGAX-GSVT
Once you have provided the code and authenticated yourself, the CLI will display the following message:
Login successful! The credentials have been stored in your device keyring.
The Console session lasts at most 24 hours (and 10 hours in case of inactivity). After that, you will need to login again. When trying to use the Console after the session has expired, you will get the following error:
Console OAuth2 error: failed to request OAuth2 token: Server returned error response
To get an access token and a refresh token for the Ash Console API, you need to use the OpenID Connect protocol:
curl -X POST -d "client_id=cf83e1357eefb8bd" \
-d "username=alice" \
-d "password=password4alice" \
-d "grant_type=password" \
"https://auth.console.ash.center/realms/jeeo/protocol/openid-connect/token" | jq
The access_token
has to be used in the Authorization
header of Ash Console API requests:
curl "..." \
-H "Authorization: Bearer ${access_token}"
You can use the refresh_token
to get a new access_token
when the current one has expired:
curl -X POST -d "client_id=cf83e1357eefb8bd" \
-d "refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3NGY4MzgyYi00NTVkLTQ1Y2QtODA3NS05YmZkM2Q4ZjZlYWEifQ.eyJleHAiOjE2OTgyMDQ2NTIsImlhdCI6MTY5ODE2ODY1MiwianRpIjoiMmQ1MTA1YzgtNWRkNy00OWFjLThlZmItOTY4ZjlkNjBjYTY4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDkwL3JlYWxtcy9qZWVvIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDkwL3JlYWxtcy9qZWVvIiwic3ViIjoiMjg3MDkwZWUtN2ZhZS00YmQ3LTkyNjMtZDY5MDk1OWVkYzI2IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImNmODNlMTM1N2VlZmI4YmQiLCJzZXNzaW9uX3N0YXRlIjoiMWY1Yjk3MmMtMWZlMC00MjU0LTlmMTctNjNkZmM1YTZkYTViIiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwic2lkIjoiMWY1Yjk3MmMtMWZlMC00MjU0LTlmMTctNjNkZmM1YTZkYTViIn0.lKbwKZwqMLqk-K6T_iLwT-b3zw80Q1cOSuAgy0wEt2w" \
-d "grant_type=refresh_token" \
"https://auth.console.ash.center/realms/jeeo/protocol/openid-connect/token" | jq
An access token expire after 5 minutes and a refresh token after at most 24 hours (and 10 hours in case of inactivity). After that, you will need to authenticate again. When trying to use the Console API after the access token has expired, you will get the following response:
{
"detail": "Provided token is not valid",
"status": 401,
"title": "Unauthorized",
"type": "about:blank"
}
An access token can also be obtain from the Ash CLI with the auth show-token
command:
ash console auth show-token
Showing access token for the Ash Console at https://api.console.ash.center
Access token (valid):
eyJ...WcA
If the access token is marked as expired
, you can use the auth refresh-token
command to get a new one:
ash console auth refresh-token
Refreshing access token for the Ash Console at https://api.console.ash.center
Access token refreshed successfully!
If you plan to use the API directly, run:
ash console auth refresh-token
export access_token=$(ash console auth show-token | grep -)