thequux/ipasso
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
6498a8bd061d97b471a40045265b41ff8b17979b
ipasso/docs/auth-flow.md

44 lines
2.0 KiB
Markdown
Raw Blame History

# Authorization flow
Current authorization state is passed around via an opaque session ID in a cookie.
This cookie is stored in duplicate: once on the SSO domain and once on the protected domain (for use by RPX's)
Most pages do not have any form of authorization, and simply depend on the cookie.
However, in order to log in, more complex flow is necessary.
Login pages are all grouped under `/login`, which normally serves an HTML form with some additional javascript.
This form includes a hidden field with the page to redirect to.
The JS on `/login` begins by fetching `/login/status` via XHR GET.
`/login/status` returns a JSON response indicating the login state, which is one of:
* VALID: User is fully logged in. User details are attached
* EXPLICIT_LOGOUT: Cookie is set to indicate logged-out state.
* UNKNOWN: No cookie set
* INVALID: Invalid signature on cookie, cookie content invalid, or cookie expired. This also clears the cookie.
If the state is `UNKNOWN` or `INVALID`, automatic login is performed.
If the state is `EXPLICIT_LOGOUT`, the process terminates here.
Otherwise, a login form is displayed.
If automatic login fails, the page simply displays a login form.
The user may log in using a username/password, at which point a cookie is set with their details.
The user may also submit the form with blank username/password, in which case automatic login is performed.
# Automatic login
These steps are performed in sequence, each returning the same data as `/login/status`.
The process completes when the state is `VALID` or `EXPLICIT_LOGOUT`.
1. Fetch `/login/krb5` via XHR GET.
2. Fetch `/login/x509` via XHR GET.
Upon successful login, a redirect is performed to the page in the hidden field.
# API
In addition to the `/login` endpoint, there exist several other useful endpoints:
* `/logout`: Set cookie to indicate logged-out state
* `/login/status`: Fetch a representation of user's info.
If `Accept` requests `application/json`, this is JSON.
Otherwise, this is an HTML page
An OAuth interface is also available on **TODO**
Reference in New Issue View Git Blame Copy Permalink