auth.login_ex

Authenticate using one of a variety of mechanisms.

The mechanism is selected by the mechanism field of the request, and the set of supported mechanisms will be expanded in future releases.

Warning

Mechanisms with a _PLAIN suffix involve passing plain-text passwords or password-equivalent strings and should not be used over untrusted or insecure transport.

The response_type of the result indicates the outcome of the current authentication step and whether further action is required to complete authentication:

  • SUCCESS – authentication completed and a session was established.

  • OTP_REQUIRED – the account requires a one-time password; the client must continue authentication by submitting the token via the OTP_TOKEN mechanism.

  • AUTH_ERR – generic authentication failure corresponding to PAM_AUTH_ERR and PAM_USER_UNKNOWN from libpam. Returned when the account does not exist or the credential is incorrect.

  • EXPIRED – the supplied credential is expired and not suitable for authentication.

  • REDIRECT – authentication must be performed on a different server.

A JSON-RPC error response (code -32001, Method call error) is returned instead of a result in the following cases:

  • a multistep challenge-response mechanism is in progress and the supplied mechanism does not match the expected next step (errno EBUSY)

  • the OTP_TOKEN mechanism is used without a preceding step having requested it (errno EINVAL)

  • the current authenticator assurance level prohibits the supplied mechanism (errno EOPNOTSUPP)

Type: object

Type: array
No Additional Items

Tuple Validation

Parameter 1: login_data

login_data


Authentication data specifying mechanism and credentials.

AuthApiKeyPlain

Type: object
No Additional Properties

Mechanism

Type: const

Authentication mechanism identifier for plain API key authentication.

Specific value: "API_KEY_PLAIN"

Username

Type: string

Username associated with the API key.

Api Key

Type: string

API key for authentication.

AuthCommonOptions

Type: object Default: {"user_info": true}

Additional options for the authentication process.

 No Additional Properties

User Info

Type: boolean Default: true

Whether to include detailed user information in the authentication response.

AuthPasswordPlain

Type: object
No Additional Properties

Mechanism

Type: const

Authentication mechanism identifier for plain password authentication.

Specific value: "PASSWORD_PLAIN"

Username

Type: string

Username for authentication.

Password

Type: string

Password for authentication.

AuthCommonOptions

Type: object Default: {"user_info": true}

Additional options for the authentication process.

 No Additional Properties

User Info

Type: boolean Default: true

Whether to include detailed user information in the authentication response.

AuthTokenPlain

Type: object
No Additional Properties

Mechanism

Type: const

Authentication mechanism type for plain token login.

Specific value: "TOKEN_PLAIN"

Token

Type: string

Authentication token (masked for security).

AuthCommonOptions

Type: object Default: {"user_info": true}

Common authentication options and settings.

 No Additional Properties

User Info

Type: boolean Default: true

Whether to include detailed user information in the authentication response.

AuthOTPToken

Type: object
No Additional Properties

Mechanism

Type: const

Authentication mechanism identifier for one-time password tokens.

Specific value: "OTP_TOKEN"

Otp Token

Type: string

One-time password token for authentication.

AuthCommonOptions

Type: object Default: {"user_info": true}

Additional options for the authentication process.

 No Additional Properties

User Info

Type: boolean Default: true

Whether to include detailed user information in the authentication response.

Result


Authentication response indicating success, failure, or additional steps required.

AuthRespSuccess

Type: object
No Additional Properties

Response Type

Type: const

Authentication response type indicating successful login.

Specific value: "SUCCESS"


Authenticated user information or null if not available.

AuthUserInfo

Type: object
No Additional Properties

Pw Name

Type: string

Name of the user.

Pw Gecos

Type: string

Full username or comment field.

Pw Dir

Type: string

User home directory.

Pw Shell

Type: string

User command line interpreter.

Pw Uid

Type: integer

Numerical user ID of the user.

Pw Gid

Type: integer

Numerical group id for the user's primary group.

Grouplist


Optional array of group IDs for groups of which this account is a member. If get_groups is not specified, this value will be null.

Type: array of integer
No Additional Items
Each item of this array must be:
Type: integer
Type: null

Sid


Optional SID value for the account that is present if sid_info is specified in payload.

Type: string
Type: null

Source

Type: enum (of string)

The source for the user account.

Must be one of:
  • "LOCAL"
  • "ACTIVEDIRECTORY"
  • "LDAP"

Local

Type: boolean

The account is local to TrueNAS or provided by a directory service.

Attributes

Type: object

Custom user attributes and metadata.

Two Factor Config

Type: object

Two-factor authentication configuration for the user.

Privilege

Type: object

User privilege and role information.

Account Attributes

Type: array of string

Array of account attribute names available for this user.

 No Additional Items
Each item of this array must be:
Type: string
Type: null

Authenticator

Type: enum (of string)

Authentication level achieved (LEVEL1 for password, LEVEL2 for two-factor).

Must be one of:
  • "LEVEL_1"
  • "LEVEL_2"

AuthRespAuthErr

Type: object
No Additional Properties

Response Type

Type: const

Authentication response type indicating authentication failure.

Specific value: "AUTH_ERR"

AuthRespExpired

Type: object
No Additional Properties

Response Type

Type: const

Authentication response type indicating the session or token has expired.

Specific value: "EXPIRED"

AuthRespOTPRequired

Type: object
No Additional Properties

Response Type

Type: const

Authentication response type indicating one-time password is required.

Specific value: "OTP_REQUIRED"

Username

Type: string

Username for which OTP is required.

AuthRespAuthRedirect

Type: object
No Additional Properties

Response Type

Type: const

Authentication response type indicating redirect is required.

Specific value: "REDIRECT"

Urls

Type: array of string

Array of URLs to redirect to for authentication completion.

 No Additional Items
Each item of this array must be:
Type: string


Required roles: