17.2.2.6.3.1. Initial authentication

Before a device token has been registered, the initial authentication takes place using username, password, and MTAN (or any other authentication flow resulting in access to the device registration REST calls).

This process has nothing to do with the actual device token authentication but it shows what a REST client has to expect in this state.

HTTP Request: Check Username and Password

copy
POST /auth-login/rest/public/authentication/password/check

{
    "password" : "1234",
    "username" : "jdoe"
}

HTTP Response: Check Username and Password

copy
HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2018-02-12T17:44:50.155+01:00"
    },
    "data": {
        "type": "authentication.session",
        "id": "1210147939",
        "attributes": {
            "nextAuthStep": "MTAN_OTP_REQUIRED"
        }
    }
}

Note that since there are no device tokens for the user, the next authentication step is directly "MTAN_OTP_REQUIRED".

HTTP Request: Send MTAN OTP

copy
POST /auth-login/rest/public/authentication/mtan/otp/check

{
    "otp": "909140"
}

HTTP Response: OTP OK and session authenticated

copy
HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2018-02-12T17:46:49.408+01:00"
    },
    "data": {
        "type": "authentication.session",
        "id": "1210147939",
        "attributes": {}
    }
}

At this point, authentication is completed and access to protected REST calls such as the ones following are possible.