... | @@ -555,3 +555,14 @@ func (sa *StorkAgent) Shutdown() { |
... | @@ -555,3 +555,14 @@ func (sa *StorkAgent) Shutdown() { |
|
...
|
|
...
|
|
}
|
|
}
|
|
```
|
|
```
|
|
|
|
|
|
|
|
## Authentication hook
|
|
|
|
|
|
|
|
We decided the first hook would be an authentication hook to support login through LDAP. In the future, we want to implement more authentication hooks this way.
|
|
|
|
|
|
|
|
In general, we can split the authentication methods into two groups. The first contains solutions where the server actively mediates in the authentication process. It means that a user provides the credentials in the form presented by the server, and next, the server forwards these credentials to the authentication point. The authentication point validates the credentials and returns the user profile on success. The solutions in the second group use the delegated flow. The user initiates the authentication by clicking the button on the server page. The server redirects to the authentication point page. The user provides the credentials in the form presented by the authentication point that validates the credentials and redirects the user back to the server. The server receives the authentication token that is validated on the server-side. The token may contain the basic user profile, or the server may use it to obtain the profile from the authentication point.
|
|
|
|
|
|
|
|
The LDAP authentication belongs to the first group.
|
|
|
|
|
|
|
|
The authentication process in Stork starts on the login page. There should be displayed a list of supported authentication methods generated by the dedicated callout. Stork should also provide a flag to suppress the default authentication. The user needs to choose the preferred authentication method. The Stork should present a login form or redirect the user to the authentication point page, depending on the selected solution. The hook will be responsible for validating the form data, fetching the profile, and creating the internal user instance. This instance will be passed to the session manager. The hook should provide the possibility to log out the user too.
|
|
|
|
In the case of delegated authentication, the callout must generate the redirection link and handle the returned token validation. |