Changeset View
Changeset View
Standalone View
Standalone View
docs/images/deposit-authentication-keycloak.uml
- This file was added.
| @startuml | |||||
| participant CLIENT as "SWORD client\n(eg. HAL)" | |||||
| participant DEPOSIT as "swh-deposit" | |||||
| participant AUTH_BACKEND as "keycloak" | |||||
| activate CLIENT | |||||
| activate DEPOSIT | |||||
| activate AUTH_BACKEND | |||||
| CLIENT ->> DEPOSIT: GET /1/<service-document>/ | |||||
| DEPOSIT ->> AUTH_BACKEND: forwards authentication to keycloak | |||||
| alt credentials mismatch or inexistent user | |||||
| AUTH_BACKEND ->> DEPOSIT: return 401, Unauthorized | |||||
| DEPOSIT -->> CLIENT: return 401, Unauthorized | |||||
| else credentials ok | |||||
| AUTH_BACKEND ->> DEPOSIT: return oidc_profile | |||||
| DEPOSIT ->> DEPOSIT: decodes oidc_profile, checks deposit user permissions | |||||
| alt no permission matches 'swh.deposit.api' | |||||
| DEPOSIT -->> CLIENT: return 401, Unauthorized | |||||
| else at least one permission matches 'swh.deposit.api' | |||||
| DEPOSIT -->> CLIENT: return 200, <service-document> | |||||
| end | |||||
| end | |||||
| deactivate CLIENT | |||||
| deactivate DEPOSIT | |||||
| deactivate AUTH_BACKEND | |||||
| @enduml | |||||