Authorization and authentication¶

Authorization and authentication have been designed, but not implemented.

The core-engine is responsible for the authorization and authentication.

Service authorization¶

Services may require a token to authenticate the core-engine. The core-engine will store the authentication token in it's database. If the service is secured by https, the token may be directly stored in the service's URL. In any case, if the service isn't using https, the secret token may not be secret.

User authentication¶

Authentication will be delegated to a OpenID compliant service, for instance SWITCH edu-ID, keycloak, ...

sequenceDiagram
    actor User
    participant Auth service
    participant Core engine

    Note over User, Auth service: The user request a token
    User->>Auth service: request token(credentials)
    Auth service->>User: Auth token

    Note over User, Core engine: Given an auth token, the user can access the engine
    User->>Core engine: Start service (Auth token + service parameters)
    Core engine->>User: Start service (Auth token + service parameters)

Authorization¶

A matrix of groups of users and a matrix of groups and authorizations will be used to store the permissions, for each service.

Identified key points¶

• When the core-engine is first started, an admin user must be created
• Service registration must be authorized. For instance an authorized user asks for a token that will be used to authorize the service registration.