Delegation support in Satosa

CLARIAH / clariah-plus

This is the project planning repository for the CLARIAH-PLUS project. It groups all technical documents and discussions pertaining to CLARIAH-PLUS in a central place and should facilitate findability, transparency and project planning, for the project as a whole.

9 stars 6 forks source link

Delegation support in Satosa #65

Open menzowindhouwer opened 2 years ago

menzowindhouwer commented 2 years ago

so the runtime can execute queries on behalf and with the rights of the user

proycon commented 2 years ago

I'll tag this as FAIR Distribution & Deployment as well if you don't mind, since the authentication & authorization is mostly in the realm of that one.

proycon commented 2 years ago

I assume @janpieterk may be able to say something on this / work on this?

menzowindhouwer commented 2 years ago

Indeed @mmisworking and @janpieterk it would be great to hear what Satosa supports to enable this. Otherwise we might fall back to the old CLARIN experiments (1, 2). @vicding-mi and I have last been working on this experiment in early 2019 ... so it would need to be actualized ...

menzowindhouwer commented 2 years ago

@jblom how is this solved in the MediaSuite?

jblom commented 2 years ago

@menzowindhouwer Short answer for now: The Media Suite back-end (web server code) calls the (search, annotation, workspace) APIs on behalf of the requesting user, by passing the user's OIDC token within the HTTP header. The API then checks this token with SATOSA's userinfo endpoint.

Note: The OIDC token for each user is requested by the Media Suite right after the user was authenticated (via the "get token" endpoint in SATOSA).