Authentication Service Client
From OpenLiberty.org Wiki
← Back to Architecture Document
org.openliberty.services.AuthnClient
The ID-WSF Authentication Service (AS) facilitates web-service based authentication. It is built around ID-WSF Authentication protocol, which is based on SASL (SASL on Wikipedia).
The ClientLib:
- Must provide a mechanism for a users to prove their identities and authenticate, receiving a security token from this process; This authentication process would result in security token(s) that could be used to access other services, such as a DiscoService, which may issue additional security tokens for use with other services.
- Must provide a mechanism for presenting user supported SASL security mechanisms to an AS.
- Must provide a mechanism for allowing a user to specify a SASL security mechanism that has been requested by another service. For example, a user could have authenticated using a plain text mechanism and has been receiving service from a service provider (lets call it service "X") that has a low security requirement. All of a sudden the user wants to access something that has a higher security requirement, Service "X" asks the user to get a better (or specific) security token as the result of a higher level of authorization. The user then goes back to the AS.
- Will assume that the required Security Mechanism for invoking an AS is urn: liberty: security: 2003-08: TLS: null
- Will support password transformations specified in appendix B of [LibertyAuthnContext]
If an AS is not used, then the initial security tokens must be bootstrapped through an out of band method or through using the SSOS Client.
Interaction Example Diagram
Questions:
1) Where does management of security tokens fall in the ClientLib? What mechanism?
2) Where does the user register user supported security mechanisms? How is this determined? Is this something handled transparently based on meta-data provided by the user?
3) Why allow for an AS with a plain http endpoint? (urn: liberty: security: 2003-08: null: null)
