Example flow for basic authentication
The following diagram identifies the flow of authentication and authorization information for basic authentication. Colors are used in the following ways:
- Orange - credentials information
- Blue - endpoint access information
- Green - resource access information
- Red - proxy user and session user information
Some values are used to determine multiple types of access. These values initially appear as black (when they do not apply to a single type of access), and then later appear in one or more specific colors (to reflect the value is being used at that point in the process for a specific type of access).
In the following example, an API call is triggered by Aaron Applegate, who is an internal user, using a browser-based application and basic authentication.
- When Aaron triggers an API call, the caller application sends the API request to
BillingCenter. The request header includes a base64-encoded
version of the user's user name (
aapplegate@acme.com
) and password (aPassword
). - BillingCenter authenticates the user and determines the
endpoint access.
- Using the user name in the request header (
aapplegate@acme.com
), BillingCenter queries the user table. - BillingCenter authenticates the user by verifying that the user name and password match.
- BillingCenter responds with the user roles that this user
has. One role is returned:
BillingRep
.
- Using the user name in the request header (
- Based on the returned role, the
BillingRep.role.yaml
API role file is used to define the endpoint access. - Next, BillingCenter determines the resource access
strategy. Because the call is using basic authentication, BillingCenter grants resource access as defined in the
internal
access.yaml
files. (* BillingCenter starts withinternal_ext-1.0.access.yaml
, but this file references additionalaccess.yaml
files whose name starts with "internal
".) - Proxy user access is not relevant for basic authentication.
- BillingCenter processes the request.
- The session user is the internal user:
aapplegate@acme.com
. - The endpoint access is defined by
BillingRep.role.yaml
. - The resource access is defined by
internal
access.yaml
using the resource access ID ofaapplegate@acme.com
.
- The session user is the internal user:
- BillingCenter provides the response to the initial call.