CDNWiki
View Source:
RobertButler/Authentication
!!! [HMAC Authentication|RobertButler/Authentication] Authentication System: * Token-based * Tokens expire * If the token expires, session information gathered from the client is re-validated against the database * If authentication succeeds, the life of the token is extended. * If authentication encounters a problem, the user is prompted to re-present their authentication credentials. * The by-product of authentication gives the user a token, were their (cached) authorization infomation is stored. * Tokens have an optional lifetime that is specified by the client and have a maximum lifetime specified by the container that created it. * Authentication in one Domain may or may not facilitate authentication (methods) which may or may not provide authentication inside other domains * Authentication information is not just limited to Login names and Passwords, however. * Domains are a grouping of * Authentication credentials, comprising of one or more * User Accounts * Passwords * Application-specific authentication methods * Account settings * Certificate notes: * When connecting via SSL, provide a client cert. This client cert then acts as authn and gives you ACLs. * To change certificates, close the connection, reconnect with the new cert, and provide the same token. * Revokes the authn for the original cert, and removes those ACLs. * Adds the authn for the new cert, and adds those ACLs. * Alternately, tell the main connection you want to add a new cert without revocation of the old one * It gives client a nonce. * Client opens a second connection, negotiates SSL with the new client cert. * Client sends token and nonce * Server then adds the new cert authn to the token, and the ACLs it involves * Commands and data can be sent over either connection. Responses are sent over the requesting connection. * When client closes either connection, that certificate's authn is revoked and those ACLs are removed. !!! [HMAC Authorization|RobertButler/Authorization]
