-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login-as using WWW-Authenticate #109
Conversation
I'm incline to think to login as as an additional header (similar to how it is managed by Sword) instead than a different authentication method. |
Summary of what was discussed in the meeting:
Please update this summary if you see anything the differs from what we discussed I will verify how much work this would require in REST and Angular. |
I've verified the impact on REST and Angular, and REST shouldn't pose any problems. For Angular, the estimated 12 hours might not suffice, but it shouldn't be a huge increase in that work. I've updated the contract based on the discussed alternative |
One of the side-effects of the given solution: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have just a different suggestion about how to discover if the user can or cannot access the loginAs feature.
The other suggestion about the use of the camel case format of the header can be freely ignored if not liked.
authentication.md
Outdated
## Log in as | ||
|
||
For any request, an `x-on-behalf-of` header can be included. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a style note I would prefer the use of X-On-Behalf-Of as used in the SWORD protocol spec but this is just "layout" as header by spec are case insensitive
authentication.md
Outdated
Sample request: | ||
``` | ||
curl -v "http://{dspace-server.url}/server/api/core/items/1911e8a4-6939-490c-b58b-a5d70f8d91fb" -H "Authorization: Bearer eyJhbG...COdbo" -H "x-on-behalf-of: 028dcbb8-0da2-4122-a0ea-254be49ca107" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
again if possible use X-On-Behalf-Of in camel case
authentication.md
Outdated
@@ -91,6 +91,7 @@ This will return the authentication status, E.G.: | |||
{ | |||
"okay" : true, | |||
"authenticated" : true, | |||
"allowOnBehalfOf" : false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry to haven't got the comment immediately where you have anticipated such change. I want to suggest to use the new authorization endpoint to check for the possibility to use the loginAs feature. You can implement a loginAs feature that support the Site object to know if the current user is entitled or not to access such feature.
@abollini I've processed your feedback. |
thanks @benbosman all my feedback have been processed |
The goal of the underlying implementation is:
webui.user.assumelogin
boolean)As part of the implementation, it would also be best to improve the EPersonRestAuthenticationProvider implementation, this will have an impact on the Angular UI as well:
AuthenticationMethod
based on the getName() method