Example flow for basic authentication

The following diagram identifies the flow of authentication and authorization information for basic authentication. Colors are used in the following ways:

  • Orange - credentials information
  • Blue - endpoint access information
  • Green - resource access information
  • Red - proxy user and session user information

Some values are used to determine multiple types of access. These values initially appear as black (when they do not apply to a single type of access), and then later appear in one or more specific colors (to reflect the value is being used at that point in the process for a specific type of access).

In the following example, an API call is triggered by Aaron Applegate, who is an internal user, using a browser-based application and basic authentication.


Authentication flow for basic authentication

  1. When Aaron triggers an API call, the caller application sends the API request to BillingCenter. The request header includes a base64-encoded version of the user's user name (aapplegate@acme.com) and password (aPassword).
  2. BillingCenter authenticates the user and determines the endpoint access.
    1. Using the user name in the request header (aapplegate@acme.com), BillingCenter queries the user table.
    2. BillingCenter authenticates the user by verifying that the user name and password match.
    3. BillingCenter responds with the user roles that this user has. One role is returned: BillingRep.
  3. Based on the returned role, the BillingRep.role.yaml API role file is used to define the endpoint access.
  4. Next, BillingCenter determines the resource access strategy. Because the call is using basic authentication, BillingCenter grants resource access as defined in the internal access.yaml files. (* BillingCenter starts with internal_ext-1.0.access.yaml, but this file references additional access.yaml files whose name starts with "internal".)
  5. Proxy user access is not relevant for basic authentication.
  6. BillingCenter processes the request.
    1. The session user is the internal user: aapplegate@acme.com.
    2. The endpoint access is defined by BillingRep.role.yaml.
    3. The resource access is defined by internal access.yaml using the resource access ID of aapplegate@acme.com.
  7. BillingCenter provides the response to the initial call.