Example flow for basic authentication
The following diagram identifies the flow of authentication and authorization information for basic authentication. Colors are used in the following ways:
- Orange - credentials information
- Blue - endpoint access information
- Green - resource access information
- Red - proxy user and session user information
Some values are used to determine multiple types of access. These values initially appear as black (when they do not apply to a single type of access), and then later appear in one or more specific colors (to reflect the value is being used at that point in the process for a specific type of access).
In the following example, an API call is triggered by Andy Applegate, who is an internal user, using a browser-based application and basic authentication.
- When Andy triggers an API call, the caller application sends the API request to ClaimCenter. The request header includes a base64-encoded version of
the user's user name (
aapplegate@acme.com
) and password (aPassword
). - The IExpandTokenPlugin plugin is not relevant for basic authentication.
- ClaimCenter authenticates the user and determines the
endpoint access.
- Using the user name in the request header (
aapplegate@acme.com
), ClaimCenter queries the user table. - ClaimCenter authenticates the user by verifying that the user name and password match.
- ClaimCenter responds with the user roles that this user
has. One role is returned:
Adjuster
.
- Using the user name in the request header (
- Based on the returned role, the
Adjuster.role.yaml
API role file is used to define the endpoint access. - Next, ClaimCenter determines the resource access
strategy. Because the call is using basic authentication, ClaimCenter grants resource access as defined in the
internal
access.yaml
files. (* ClaimCenter starts withinternal_ext-1.0.access.yaml
, but this file references additionalaccess.yaml
files whose name starts with "internal
".) - Proxy user access is not relevant for basic authentication.
- ClaimCenter processes the request.
- The session user is the internal user:
aapplegate@acme.com
. - The endpoint access is defined by
Adjuster.role.yaml
. - The resource access is defined by
internal
access.yaml
using the resource access ID ofaapplegate@acme.com
.
- The session user is the internal user:
- ClaimCenter provides the response to the initial call.