Edit this page on GitHub

Home > docs > getting started > Security and Permissions

Security and Permissions

Authentication

Concord supports multiple authentication methods:

Plugins can implement additional authentication methods.

Using API Tokens

The key must be passed in the Authorization header on every API request. For example:

curl -v -H "Authorization: <value>" ...

API keys are managed using the API key endpoint or using the UI.

Using Username and Password

For example:

curl -v -u myuser:mypwd ...

The actual user record will be created on the first successful authentication attempt. After that, it can be managed as usual, by using the User API endpoint.

Username/password authentication uses an LDAP/Active Directory realm. Check Configuration document for details.

Using Session Tokens

For each process Concord generates a temporary “session token” that can be used to call Concord API. The token is valid until the process reaches one of the final statuses:

  • FINISHED
  • FAILED
  • CANCELLED
  • TIMED_OUT.

The session token must be passed in the X-Concord-SessionToken header:

curl -v -H "X-Concord-SessionToken: <value>" ...

Such API requests use the process’s security principal, i.e. they run on behalf of the process’ current user.

The current session token is available as ${processInfo.sessionToken} variable.

Secret Management

Concord provides an API to create and manage various types of secrets that can be used in user flows and for Git repository authentication.

Secrets can be created and managed using the Secret API endpoint or the UI.

Supported types:

  • plain strings and binary data (files) (example;
  • username/password pairs (example);
  • SSH key pairs (example).

Secrets can optionally be protected by a password provided by the user. Non password-protected secrets are encrypted with an environment specific key defined in Concord Server’s configuration.

Additionally, Concord supports “encrypted strings” - secrets that are stored “inline”, directly in Concord YAML files:

flows:
  default:
    - log: "Hello, ${crypto.decryptString('aXQncyBub3QgYW4gYWN0dWFsIGVuY3J5cHRlZCBzdHJpbmc=')}"

Concord encrypts and decrypts such values by using a project-specific encryption key. In order to use encrypted strings, the process must run in a project.

The crypto task can be used to work with secrets and encrypted strings.