Changeset View
Changeset View
Standalone View
Standalone View
docs/authentication.rst
- This file was added.
.. _authentication: | |||||
Authentication | |||||
============== | |||||
This is a description of the authentication mechanism used in the deposit server. | |||||
Keycloak | |||||
-------- | |||||
Recent changes introduced `keycloak`_, an Open Source Identity and Access Management | |||||
which is already used in other part of the swh stack. | |||||
anlambert: other part**s** | |||||
The authentication is plainly delegated to the swh keycloak instance. If keycloak | |||||
authorizes the deposit client, the deposit further checks that the deposit client has | |||||
the proper role "swh.deposit.api". | |||||
anlambertUnsubmitted Not Done Inline Actionsyou should use permission instead of role anlambert: you should use permission instead of role | |||||
If any issues arise during one of the authentication check, the client receives a 401 | |||||
response (unauthorized). | |||||
.. figure:: images/deposit-authentication-keycloak.svg | |||||
:alt: Keycloak Authentication | |||||
Basic | |||||
----- | |||||
The first implementation used basic authentication. The deposit storage backend has the | |||||
responsibility to check the authentication credential sent by the deposit client. If | |||||
anlambertUnsubmitted Not Done Inline Actionscredentials anlambert: credential**s** | |||||
authorized, the deposit client is authorized to continue its deposit. Otherwise, a 401 | |||||
anlambertUnsubmitted Not Done Inline Actionsis allowed (to avoid the repetition) anlambert: is allowed (to avoid the repetition) | |||||
response is returned to the client. | |||||
.. figure:: images/deposit-authentication-basic.svg | |||||
:alt: Basic Authentication | |||||
.. _keycloak: https://www.keycloak.org/ |
other parts