... | ... | @@ -564,5 +564,29 @@ In general, we can split the authentication methods into two groups. The first c |
|
|
|
|
|
The LDAP authentication belongs to the first group.
|
|
|
|
|
|
The authentication process in Stork starts on the login page. There should be displayed a list of supported authentication methods generated by the dedicated callout. Stork should also provide a flag to suppress the default authentication. The user needs to choose the preferred authentication method. The Stork should present a login form or redirect the user to the authentication point page, depending on the selected solution. The hook will be responsible for validating the form data, fetching the profile, and creating the internal user instance. This instance will be passed to the session manager. The hook should provide the possibility to log out the user too.
|
|
|
The authentication process in Stork starts on the login page. There should be displayed a list of supported authentication methods generated by the dedicated callout. Stork should also provide a flag to suppress the default authentication. The user needs to choose the preferred authentication method. Another approach is allowing only a single authentication method. If the authentication hook is loaded, it replaces the default authentication; only one authentication hook may be loaded simultaneously. The Stork should present a login form or redirect the user to the authentication point page, depending on the selected solution. The hook will be responsible for validating the form data, fetching the profile, and creating the internal user instance. This instance will be passed to the session manager. The hook should provide the possibility to log out the user too.
|
|
|
In the case of delegated authentication, the callout must generate the redirection link and handle the returned token validation.
|
|
|
|
|
|
### LDAP authentication scenario
|
|
|
|
|
|
It is a single authentication solution.
|
|
|
|
|
|
1. The server loads the hooks, including the authentication one
|
|
|
2. The user opens the login page
|
|
|
3. The UI fetches the authentication method details from the server. It displays the login form or redirection button to the authentication point.
|
|
|
4. The server calls the callout point to fetch the authentication details. If no authentication hooks were loaded, then it returns the default method. For LDAP, the login and password form is requested.
|
|
|
5. The UI presents the login and password form.
|
|
|
6. The user provides the credentials and clicks the submit button.
|
|
|
7. The `CreateSession` endpoint receives the credentials. They are passed to the hook.
|
|
|
8. The hook validates the credentials in the LDAP server. Returns an error if they are invalid.
|
|
|
9. The hook fetches the user profile from the LDAP server. It converts the data to the Stork user structure. It needs to translate the groups from the LDAP standard to the Stork indices.
|
|
|
10. The hook returns the user instance.
|
|
|
11. The server creates a session in the session manager.
|
|
|
12. The server returns the user object to the UI.
|
|
|
13. The session middleware sets the authentication cookie.
|
|
|
14. The browser receives the response, reads the cookie, and remembers it.
|
|
|
15. The UI receives the user object, saves it, and redirects to the dashboard.
|
|
|
16. The user uses Stork.
|
|
|
17. The user clicks the logout button.
|
|
|
18. The `DeleteSession` endpoint receives the request and destroys the session. It calls the logout callout point.
|
|
|
19. The UI displays the login page. |