Changeset View
Changeset View
Standalone View
Standalone View
docs/authentication.rst
- This file was added.
| .. _authentication: | |||||
| Authentication | |||||
| ============== | |||||
| This is a description of the authentication mechanism used in the deposit server. | |||||
| Keycloak | |||||
| -------- | |||||
| Recent changes introduced `keycloak`_, an Open Source Identity and Access Management | |||||
| which is already used in other part of the swh stack. | |||||
anlambert: other part**s** | |||||
| The authentication is plainly delegated to the swh keycloak instance. If keycloak | |||||
| authorizes the deposit client, the deposit further checks that the deposit client has | |||||
| the proper role "swh.deposit.api". | |||||
anlambertUnsubmitted Not Done Inline Actionsyou should use permission instead of role anlambert: you should use permission instead of role | |||||
| If any issues arise during one of the authentication check, the client receives a 401 | |||||
| response (unauthorized). | |||||
| .. figure:: images/deposit-authentication-keycloak.svg | |||||
| :alt: Keycloak Authentication | |||||
| Basic | |||||
| ----- | |||||
| The first implementation used basic authentication. The deposit storage backend has the | |||||
| responsibility to check the authentication credential sent by the deposit client. If | |||||
anlambertUnsubmitted Not Done Inline Actionscredentials anlambert: credential**s** | |||||
| authorized, the deposit client is authorized to continue its deposit. Otherwise, a 401 | |||||
anlambertUnsubmitted Not Done Inline Actionsis allowed (to avoid the repetition) anlambert: is allowed (to avoid the repetition) | |||||
| response is returned to the client. | |||||
| .. figure:: images/deposit-authentication-basic.svg | |||||
| :alt: Basic Authentication | |||||
| .. _keycloak: https://www.keycloak.org/ | |||||
other parts