Example flow for basic authentication

The following diagram identifies the flow of authentication and authorization information for basic authentication. Colors are used in the following ways:

  • Orange - credentials information
  • Blue - endpoint access information
  • Green - resource access information
  • Red - proxy user and session user information

Sometimes, a value is used in different parts of the flow to determine different types of access. These values appear in the flow diagrams multiple times, but the color is changed to reflect how the value is being used at that point in the process.

In the following example, an API call is triggered by Alice Applegate, who is an internal user, using a browser-based application and basic authentication.


Authentication flow for basic authentication
  1. When Alice triggers an API call, the caller application sends the API request to PolicyCenter. The request header includes a base64-encoded version of the user's user name (aapplegate@acme.com) and password (aPassword).
  2. The IExpandTokenPlugin plugin is not relevant for basic authentication.
  3. PolicyCenter authenticates the user and determines the endpoint access.
    1. Using the user name in the request header (aapplegate@acme.com), PolicyCenter queries the user table.
    2. PolicyCenter authenticates the user by verifying that the user name and password match.
    3. PolicyCenter responds with the user roles that this user has. One role is returned: Underwriter.
  4. Based on the returned role, the Underwriter.role.yaml API role file is used to define the endpoint access.
  5. Next, PolicyCenter determines the resource access strategy. Because the call is using basic authentication, PolicyCenter grants resource access as defined in the internal access.yaml files. (* PolicyCenter starts with internal_ext-1.0.access.yaml, but this file references additional access.yaml files whose name starts with "internal".)
  6. Proxy user access is not relevant for basic authentication.
  7. PolicyCenter processes the request.
    1. The session user is the internal user: aapplegate@acme.com.
    2. The endpoint access is defined by Underwriter.role.yaml.
    3. The resource access is defined by internal access.yaml using the resource access ID of aapplegate@acme.com.
  8. PolicyCenter provides the response to the initial call.