Open menzowindhouwer opened 2 years ago
I'll tag this as FAIR Distribution & Deployment as well if you don't mind, since the authentication & authorization is mostly in the realm of that one.
I assume @janpieterk may be able to say something on this / work on this?
@jblom how is this solved in the MediaSuite?
@menzowindhouwer Short answer for now: The Media Suite back-end (web server code) calls the (search, annotation, workspace) APIs on behalf of the requesting user, by passing the user's OIDC token within the HTTP header. The API then checks this token with SATOSA's userinfo
endpoint.
Note: The OIDC token for each user is requested by the Media Suite right after the user was authenticated (via the "get token" endpoint in SATOSA).
so the runtime can execute queries on behalf and with the rights of the user