4.3.8. Infobase users

4.3.8.1. User authentication

If a list of users allowed to access the infobase (to create or edit this list, use Designer) is available, the user authentication dialog box will be opened. At the top of the dialog box, under the 1C logo, there is a name of the infobase that the user is trying to access. This name is displayed if the authentication dialog box opens from the launcher, to whose infobase list the current database is added. If you access the infobase using a web client or by specifying access parameters in the command line of the client application startup, "1C:Enterprise" is displayed under the 1C logo.

Fig. 19. User authentication

There are several ways to specify a username in this dialog box:

• Click the User field and choose a name from a list. You can use this method if there are users that can be displayed in the choice list in the settings.
• Type the username in the User field if the list is very long or the Show in list option is not enabled in the user settings (see Adding new users).

Once at least one username is specified in the authentication dialog box, after successful authentication, this name will be added to the list of recent users. This list contains up to 4 usernames.

If a password is set for the user, enter the password in the Password field. Then, click Sign in to complete the user authentication and proceed. To close the authentication window (and refuse to connect to the infobase), click the X button in the upper-right corner of the dialog box.

The button on the right side of the password field allows you to see the password in clear text.

Click the button to see the password in clear text not covered by *. In this case, the button changes its image, as is evident from the figure below.

If you click the button in the password input field several times, you can switch between the password view modes: hidden – displayed. When you open the user authentication dialog box, the password is entered in mask mode.

If you select the Remember checkbox in the authentication dialog box, the next time you authenticate to the specified infobase on this computer, the user authentication attempt will not be performed. Instead, the user whose name that was specified in the dialog box before the checkbox was selected will be signed in (in the example on the figure, this will be Administrator (JohnSmith)).

If self-service password recovery is enabled in the infobase, the Forgot your password? hyperlink will be displayed in the dialog box.

Clicking the hyperlink will run the user's password recovery. For more information on how to set up and use this feature, see Password recovery.

If several authentication types are configured for the infobase, the authentication dialog box displays all the configured authentication types.

The authentication types are displayed at the bottom of the dialog box (Sing in via...). QR code authentication is displayed separately. If this feature is enabled, the Sign in using QR code hyperlink is displayed under the Sign in button. The authentication dialog box displays the following authentication types: standard authentication, email authentication, QR code authentication, OpenID authentication, and OpenID Connect authentication. You can set up and use several OpenID Connect authentication providers (they all will be displayed). Active authentication (whose parameters are displayed at the top of the dialog box) is highlighted with an underscore under the authentication picture.

For the authentication dialog box to display the authentication types available to the user, the following conditions must be met:

• Configure an authentication type for this infobase.
• Enable the authentication type selection for this infobase.

To configure all the above settings, use the default.vrd configuration publication setup file. To set up the OpenID and OpenID Connect authentication, use the <openid> and <openidconnect> elements. To specify the location of mobile applications that can be used to sign in by QR code, use the <mobileApps> element. To display a particular authentication type, as well as to specify the order of the configured authentication types in the authentication dialog box, use the <authentication> element. Note that hiding the authentication type in the <authentication> element has a higher priority than the settings in other sections of the default.vrd file. If OpenID authentication is configured in the default.vrd file (and the provider is available to the client application) but disabled in the <authentication> element, you cannot select the OpenID authentication in the authentication dialog box of this infobase. Note that enabling the display of any authentication type (the <authentication> element) will not automatically configure this authentication type.

If a picture is specified in the OpenID Connect authentication settings for the provider (the image field of the provider description), the provider will be displayed with this picture in the authentication dialog box. The value of the title field of the provider description will be displayed for the OpenID Connect provider as a tooltip.

If an access error occurs (no free license, prohibition from the external session management service, or exclusive infobase/area access error) during authentication when starting the client application (thin client, web client, mobile client, thick client, or Designer), the following happens:

1. If an authenticated user has no other sessions in the current infobase/area, an error notification appears. Client application does not start.
2. If an authenticated user has other sessions in the infobase/area after the respective client applications started on the same computer were closed, the sessions end automatically and another authentication attempt is made.
3. If there are sessions in the infobase/area, but the client applications are still running, or they were started on another computer, a dialog box with a list of sessions appears, and the system prompts you to close all or some of the sessions. If you agree, the system attempts to close the selected sessions and authenticate again.

See also:

• default.vrd file details.

4.3.8.2. Authentication when accessing infobase data

4.3.8.2.1. General information

Before getting access to infobase data, the client application must specify who will access data and check whether this user is authenticated. You can use the 1C:Enterprise client application or any other software that can get access to data via external application interfaces as a client application. You can get access to data using the file infobase or the 1C:Enterprise server (over TCP/IP) or using the web server (over HTTP(s)). Client application can be authenticated as follows:

1. With a username and password (authentication using 1C:Enterprise tools, standard authentication). With this authentication method, you can use two-factor authentication if it is set up on the 1C:Enterprise side. For more information about two-factor authentication, see Two-factor authentication. For more information about authentication using 1C:Enterprise tools, see 1C:Enterprise authentication.
2. With operating system authentication. For more information, see Operating system.
3. With OpenID and OpenID Connect protocols. OpenID providers can use various kinds of two-factor authentication. It depends on the provider settings.
4. With a special access token.
5. QR code authentication. For more information, see Using QR code.
6. Email authentication. For more information, see By email.

Depending on how you access 1C:Enterprise data, you can use different authentication kinds.

In terms of authentication kinds and participating system components, the easiest way to access data is to directly access the file infobase or the 1C:Enterprise server cluster. In this case, access only the infobase without secondary servers.

During the direct connection, you can use the following authentication kinds:

• OS authentication.
• Authentication using 1C:Enterprise tools.
• Email authentication (for interactive authentication only).

If you connect over HTTP(s), the following is used during the connection:

• Proxy server. This is a server that acts as an intermediary between the client application and the target server. Let us assume that the proxy server is in computer networks of the client application.
• Web server. This is a server that grants access to the infobase or the 1C:Enterprise server cluster over HTTP(s). Let us assume that the web server is located in the same computer network as the server cluster or infobase.

You can transfer data between the proxy server and the web server via the Intranet and Internet. The proxy server is optional for getting access.

It is also worth mentioning that HTTPS or secure connection is supported. This protocol is not directly related to authentication but, with secure connection, you can be sure that the client and the server are truly the subjects they pretend to be. In this section, you can find a brief description of secure connection. The secure connection is established between the client application and the web server where the 1C:Enterprise infobase is published and only if HTTPS is supported by the web server for the required infobase. To specify that the client application must use secure connection, do the following:

• When you use the web client, all actions are performed by the browser. Install root certificates to the computer. With the certificates, you can check the web server certificate.
• When you use the thin client, use the launcher to set up certificates. During the setup, you can specify how to check the web server certificate and which certificate will be used by the client application.
• When you operate from 1C:Enterprise language, establish secure connection using the OpenSSLSecureConnection object. The parameters of this object are similar to the launcher settings.

So, the following items are involved in the authentication process: a client application located on a client device, a proxy server, a web server, and the 1C:Enterprise server cluster or the web server extension for the file infobase.

The figure shows the main authentication options. You can combine these options. For example, you can connect your device to the web server that operates with the file infobase. The client application initiates authentication process and ensures that all participants get data required to complete each step of the process. The following authentication options are numbered:

1. Authentication on the proxy server.
   • For authentication, you can use:
     • Authentication using 1C:Enterprise tools.
     • OS authentication.
   • Specify the parameters for authentication on the proxy server:
     • In the settings to access the infobase in the launcher.
     • Using the /Proxy command-line option for the client application startup.
     • Using the InternetProxy object if you access data programmatically.
     • Using the inetcfg.xml configuration file.
2. Authentication on the web server.
   • For authentication, you can use:
     • Authentication using 1C:Enterprise tools.
     • OS authentication.
   • Specify the parameters for authentication on the web server:
     • Using the /WSA, /WSN, and /WSP command-line options for the client application startup.
     • Using the InternetProxy object if you access data programmatically.
   • You can also use secure connection (HTTPS).
3. Authentication in the infobase.
   • For authentication, you can use:
     • Access token.
     • OS authentication.
     • Authentication using various OpenID protocol options.
     • QR code.
     • Username and password.
     • Email authentication (interactive login only).
   • Specify authentication parameters for the infobase as follows:
     • Access token:
       • Using the /AccessToken command-line option for the client application startup.
       • Using the AccessToken parameter of the infobase connection string.
       • Using the Authorization: Bearer header of the HTTP infobase request.
     • OS authentication:
       • Using the /WA command-line option for the client application startup. You can enable or disable this authentication method.
       • Using the UseOSAuthentication parameter of the HTTPConnection or WSDefinitions object constructor.
     • Authentication using OpenID:
       • Using the /OIDA command-line option for the client application startup. You can enable or disable this authentication method. Authentication parameters are determined by the publication settings of the infobase you want to access.
       • Using the Authorization: Bearer header of the HTTP infobase request.
     • Using the username and password:
       • Using the /N and /P command-line options for the client application startup.
       • Using the parameters of the infobase connection string.
       • Using the Authorization: Basic header of the HTTP infobase request.
     • Email authentication:
       • Using the /EmailAuth command-line option for the client application startup.

See also:

• Startup command-line options (see Authentication settings).
• Authentication kinds in 1C:Enterprise (see Authentication types).
• Integration methods in 1C:Enterprise.

4.3.8.2.2. Interactive authentication

Authentication on the web server

When you access the infobase manually, authentication on the web server is performed as follows:

• Thin client:
  • If the /WSA- parameter is specified, a web server requests a username and password for authentication.
  • If the correct /WSN and /WSP parameters are set, a specified user is authenticated on the web server.
  • If the /WSN parameter is not specified, OS authentication is performed. If authentication fails, a username and password are requested.
  • If the /WSN parameter is specified and the /WSP parameter is not set or is set incorrectly, a web server requests a username and password for authentication.
• Web client:
  • The browser manages this process.

See also:

• Startup command-line options (see Authentication settings).
• Authentication kinds in 1C:Enterprise (see Authentication types).

Authentication in the infobase

If you connect to the server/infobase (thin and thick clients) directly or if you connect to the infobase via the web server (thin client or web client), authentication in the infobase is as follows:

During the interactive authentication, the following takes place:

1. If possible, authentication using the saved authentication token is performed.
2. If possible, JWT authentication is performed.

   If authentication fails, other authentication methods cannot be used.

3. If possible, OS authentication is performed.

   If authentication fails or the /WA- command is specified, further attempts to use other authentication methods are made.

4. Authentication with a username and password is performed (if one or both authentication parameters are specified in the command line):
   • If the /N and /P parameters are set, a specified user is authenticated.
   • If the /N parameter is not set, a username and password are requested.
   • If the /P parameter is not set or is set incorrectly, an authentication attempt is made (an empty password is used for authentication). If authentication fails, a username and password are requested (authentication window).
   • If the authentication attempt fails and the /N parameter is specified, in the authentication window that opens, the /N parameter value will be specified in the username field.
5. The user selects the required authentication method in the dialog box and attempts to authenticate using this method. To set up the authentication dialog box, use the default.vrd publication description file (the <authentication> element). If any authentication type is disabled in the default.vrd file, you will not be able to select this authentication type in the dialog box, even if other settings are correct. If the /OIDA- option is specified in the command line, the OpenID authentication will not be available for selection.

See also:

• Startup command-line options (see Authentication settings).
• Authentication kinds in 1C:Enterprise (see Authentication types).

4.3.8.2.3. Authentication when accessing the infobase programmatically

Authentication on the web server

When you access the infobase programmatically, set up authentication on the web server using the HTTPConnection or WSDefinitions object depending on the service kind you use:

• Authentication on the web server is determined by the UserName, Password, and UseOSAuthentication parameters of the HTTPConnection and WSDefinitions object constructors:
  • The UseOSAuthentication parameter is set to True:
    • OS authentication is enabled in the web server settings:
      • OS is authenticated.
      • If the UserName and Password parameters are specified, their values are used for authentication over NTLM and Kerberos protocols. Specify the UserName as DOMAIN\user or user@domain.
      • If the UserName and Password parameters are not specified, the parameters of a user on whose behalf the current session is running will be used.
    • OS authentication is disabled in the web server settings:
      • Authentication on the web server is not performed.
      • To access the infobase, UserName and Password will be used.
  • The UseOSAuthentication parameter is set to False:
    • If UserName and Password are specified, use the username and password for authentication.
    • Do not specify the infobase username and password that are specified in the infobase URL. In some cases, it can lead to errors that are hard to find.

See also:

• Authentication kinds in 1C:Enterprise (see Authentication types).
• Integration methods in 1C:Enterprise.

Authentication in the infobase

Once you authenticate on the web server, the web server extension tries to authenticate in the infobase:

• If the Authorization: Bearer HTTP request header is specified, an attempt to authenticate using an access token is made. If the attempt fails, you will not be able to access the infobase.
• If the Authorization: Basic HTTP request header is specified, an attempt to authenticate using a username and password is made.
• If standard headers are not used, the web server extension tries to get a username and password from the infobase connection string from the default.vrd file. If parameters are determined, internal request headers are used to transfer the parameters.
• If a username and password are not determined, an attempt to use OS authentication is made. If OS authentication fails, you will not be able to access the infobase.

See also:

• Authentication kinds in 1C:Enterprise (see Authentication types).
• Integration methods in 1C:Enterprise.