Created adminAuth Credential Authentication (markdown)

adminAuth-Credential-Authentication.md

@@ -0,0 +1,26 @@
+When `adminAuth` is used to secure the editor and admin api, and is set to type `credentials`, here's how to login and access the API securely. It is an implementation of Resource Owner Password Credentials Grant of OAuth 2.0 (RFC 6749, Section 4.3).
+
+The basic process is:
+
+1. obtain an access token
+2. provide that access token with any request to the api
+3. revoke the token when it is no longer required
+
+More concretely, with example curl invocations:
+
+1. Get a token by POST ing your username/password to /auth/token:
+
+        curl http://localhost:1880/auth/token  --data 'client_id=node-red-editor&grant_type=password&scope=*&username=admin&password=password'
+
+  that gives you back something like:
+
+      {"access_token":"agm6RUh6jmEPApI8eO25uW1X3A7tYBJxzKe9Z0sIEYdhTTy5Rzh3uBUTCawxgAmHFaqNL0gxH9wijA12BslxOwo9eouqwOnQ1tYjpqTnH8EWRZfw7dtQDX21owA9KiPR", "token_type":"Bearer"}
+
+2. use the "access_token" in the authorization header for subsequent requests:
+
+        curl -H "Authorization: Bearer agm6RUh6jmEPApI8eO25uW1X3A7tYBJxzKe9Z0sIEYdhTTy5Rzh3uBUTCawxgAmHFaqNL0gxH9wijA12BslxOwo9eouqwOnQ1tYjpqTnH8EWRZfw7dtQDX21owA9KiPR" http://localhost:1880/settings
+ 
+3. To revoke a token, post to /auth/revoke:
+
+        curl --data 'token=agm6RUh6jmEPApI8eO25uW1X3A7tYBJxzKe9Z0sIEYdhTTy5Rzh3uBUTCawxgAmHFaqNL0gxH9wijA12BslxOwo9eouqwOnQ1tYjpqTnH8EWRZfw7dtQDX21owA9KiPR' -H "Authorization: Bearer agm6RUh6jmEPApI8eO25uW1X3A7tYBJxzKe9Z0sIEYdhTTy5Rzh3uBUTCawxgAmHFaqNL0gxH9wijA12BslxOwo9eouqwOnQ1tYjpqTnH8EWRZfw7dtQDX21owA9KiPR" http://localhost:1880/auth/revoke
+