« Previous | Next » 

Revision 8f2eb016

ID8f2eb016a5a4211b54a07cfc8017fe19a16b0ea3

Added by Sofia Papagiannaki about 7 years ago

pithos: Change pithos views authorization/authentication

Pithos views no longer use the information stored in
the PITHOS_ASTAKOS_COOKIE_NAME cookie
for authenticating the user and authorizing access to the
targeted resource.
They acquire, instead, from the authentication server (astakos)
a short-term token for accessing the specific resource.

The general flow includes the following steps:
1. The user clicks on a resource to view its content.
2. The view requests an authorisation code from astakos
by providing its identifier, the requested scope,
and a redirection URI.
3. Astakos authenticates the user and since the pithos view
is considered a trusted client grants the view's access request.
4. Astakos redirects the user-agent back to the view using
the redirection URI provided earlier.
The redirection URI includes an authorisation code.
5. The view requests an access token from astakos
by including the authorisation code.
The view also posts a pair of credentials used to
authenticate itself with astakos and the redirection URI
used to obtain the authorisation code for verification.
6. Astakos authenticates the view, validates the authorization code,
and ensures that the redirection URI received matches the URI
used to redirect the client.
If valid, astakos responds back with an short-term access token.
7. The view exchanges with astakos the access token
for the user information to whom the authorisation was granted.
8. The view responses with the resource contents
if the user has access to the specific resource.

Files

  • added
  • modified
  • copied
  • renamed
  • deleted

View differences