[OTDev] AA: who handles the authentication
Luchesar V. ILIEV luchesar.iliev at gmail.comThu Jun 17 18:07:43 CEST 2010
- Previous message: [OTDev] AA: the anonymous user
- Next message: [OTDev] AA: who handles the authentication
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Let's decide who will handle the authentication process: 1. The service. OR 2. The client/user. (1) means that an OT service will expect only a valid OpenSSO token with each request. It will be up to the user to acquire such token: whether by directly communication with the OpenSSO server or via some client application. (2) means that an OT service will expect username and password provided with each request. It will then try to get a valid token from OpenSSO, and if that fails, will have to report back to the user. Obviously, this relieves the client applications from the burden of authentication, but at the expense of increased service complexity. Furthermore, the services still have to be able to parse requests accompanied by a token (as opposed to username/password), because that's how cascading requests (from one service to another on behalf of a user) work. Please keep in mind as well that whoever does the authentication must also handle log-out. Cheers, Luchesar
- Previous message: [OTDev] AA: the anonymous user
- Next message: [OTDev] AA: who handles the authentication
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list