Differences between version 11 and predecessor to the previous major change of RobertButler/Authentication.

Other diffs: Previous Revision, Previous Author

Newer page: version 11 Last edited on Wednesday, 2 April 2008 17:09:21 by CyberLeo Revert
Older page: version 10 Last edited on Thursday, 13 March 2008 5:56:48 by RobertButler Revert
@@ -14,6 +14,19 @@
  * User Accounts 
  * Passwords 
  * Application-specific authentication methods 
  * Account settings 
+  
+ * Certificate notes:  
+ * When connecting via SSL, provide a client cert. This client cert then acts as authn and gives you ACLs.  
+ * To change certificates, close the connection, reconnect with the new cert, and provide the same token.  
+ * Revokes the authn for the original cert, and removes those ACLs.  
+ * Adds the authn for the new cert, and adds those ACLs.  
+ * Alternately, tell the main connection you want to add a new cert without revocation of the old one  
+ * It gives client a nonce.  
+ * Client opens a second connection, negotiates SSL with the new client cert.  
+ * Client sends token and nonce  
+ * Server then adds the new cert authn to the token, and the ACLs it involves  
+ * Commands and data can be sent over either connection. Responses are sent over the requesting connection.  
+ * When client closes either connection, that certificate's authn is revoked and those ACLs are removed.  
  
 !!! [HMAC Authorization|RobertButler/Authorization] 

version 11

HMAC Authentication

Authentication System

  • Token-based

    • Tokens expire

    • If the token expires, session information gathered from the client is re-validated against the database

      • If authentication succeeds, the life of the token is extended.
      • If authentication encounters a problem, the user is prompted to re-present their authentication credentials.
  • The by-product of authentication gives the user a token, were their (cached) authorization infomation is stored.
  • Tokens have an optional lifetime that is specified by the client and have a maximum lifetime specified by the container that created it.
  • Authentication in one Domain may or may not facilitate authentication (methods) which may or may not provide authentication inside other domains
  • Authentication information is not just limited to Login names and Passwords, however.

  • Domains are a grouping of

    • Authentication credentials, comprising of one or more

      • User Accounts
      • Passwords
      • Application-specific authentication methods
    • Account settings

  • Certificate notes:

    • When connecting via SSL, provide a client cert. This client cert then acts as authn and gives you ACLs.

    • To change certificates, close the connection, reconnect with the new cert, and provide the same token.

      • Revokes the authn for the original cert, and removes those ACLs.
      • Adds the authn for the new cert, and adds those ACLs.

    • Alternately, tell the main connection you want to add a new cert without revocation of the old one

      • It gives client a nonce.
      • Client opens a second connection, negotiates SSL with the new client cert.
      • Client sends token and nonce
      • Server then adds the new cert authn to the token, and the ACLs it involves
      • Commands and data can be sent over either connection. Responses are sent over the requesting connection.
      • When client closes either connection, that certificate's authn is revoked and those ACLs are removed.

HMAC Authorization