HMAC Authentication
- Authentication System
Token-based
- Tokens expire
If the token expires, session information gathered from the client is re-validated against the database
- If authentication succeeds, the life of the token is extended.
- If authentication encounters a problem, the user is prompted to re-present their authentication credentials.
- The by-product of authentication gives the user a token, were their (cached) authorization infomation is stored.
- Tokens have an optional lifetime that is specified by the client and have a maximum lifetime specified by the container that created it.
- Authentication in one Domain may or may not facilitate authentication (methods) which may or may not provide authentication inside other domains
- Authentication information is not just limited to Login names and Passwords, however.
Domains are a grouping of
Authentication credentials, comprising of one or more
- User Accounts
- Passwords
- Application-specific authentication methods
- Account settings
Certificate notes:
- When connecting via SSL, provide a client cert. This client cert then acts as authn and gives you ACLs.
To change certificates, close the connection, reconnect with the new cert, and provide the same token.
- Revokes the authn for the original cert, and removes those ACLs.
- Adds the authn for the new cert, and adds those ACLs.
Alternately, tell the main connection you want to add a new cert without revocation of the old one
- It gives client a nonce.
- Client opens a second connection, negotiates SSL with the new client cert.
- Client sends token and nonce
- Server then adds the new cert authn to the token, and the ACLs it involves
- Commands and data can be sent over either connection. Responses are sent over the requesting connection.
- When client closes either connection, that certificate's authn is revoked and those ACLs are removed.