Description
Ideally, the x509 workflow should look somewhat like this:
-
User makes request to Rucio Auth Server via the browser to a new endpoint /auth/x509_with_redirect?key=sth_random. This endpoint should have SSL_VERIFY_CLIENT true set in the apache config.
-
The RucioAuthServer will access the user's certificate via the request environment set by apache. After verifying the DN and issuing the rucioAuthToken, the request is forwarded to the NextJS server.
-
The NextJS server receives the rucio auth token. The server checks the key and sets the session for the user that made the request initially.
This workflow can be enhanced by using session id as the key. The client sends the x509 request to the rucio auth server and at the same time starts polling the nextjs server for feedback on the request.
Motivation
This mechanism will require changes that can take some time. Therefore, this issue is delayed in favor of easier-to-implement mechanisms. However, we should try to put this into practice in future releases instead.
Change
No response
Additional Information
Description
Ideally, the x509 workflow should look
somewhatlike this:User makes request to Rucio Auth Server via the browser to a new endpoint
/auth/x509_with_redirect?key=sth_random. This endpoint should haveSSL_VERIFY_CLIENT trueset in the apache config.The RucioAuthServer will access the user's certificate via the request environment set by apache. After verifying the DN and issuing the rucioAuthToken, the request is forwarded to the NextJS server.
The NextJS server receives the rucio auth token. The server checks the key and sets the session for the user that made the request initially.
This workflow can be enhanced by using session id as the key. The client sends the x509 request to the rucio auth server and at the same time starts polling the nextjs server for feedback on the request.
Motivation
This mechanism will require changes that can take some time. Therefore, this issue is delayed in favor of easier-to-implement mechanisms. However, we should try to put this into practice in future releases instead.
Change
No response
Additional Information