To be able to identify users and as a foundation for possible authorization in the future, we need a mechanism that can identify the user based on a request.
mvoemel laid the foundation by preparing a jwt token authorization in the client. But to not be bound to a single authentication mechanism, we @kryezleo and I would propose the following design:
Design proposal
A principal is a entity / actor that can be authenticated by the server and has zero or more claims that are attributes of the principal. Examples for such attributes could be authenticated or userid. To support different principal mechanisms (jwt, basic auth), diffrent PrincipalProvider may be implemented. A principal provider is responsible for extracting/building the principal of an incoming request and setting the principal for an outgoing request. The last class in the diagram is the AuthenticationHandler which streamlines the veficication of an incoming request by providing a single method called check. check accepts a request and a handler. The check method first extracts the principal from a request and then applies a logic to check if the request is authenticated. If so, the handler method is called; otherwise an 401 is returned.
mormeli
commented
1 week ago
Description
To be able to identify users and as a foundation for possible authorization in the future, we need a mechanism that can identify the user based on a request. mvoemel laid the foundation by preparing a jwt token authorization in the client. But to not be bound to a single authentication mechanism, we @kryezleo and I would propose the following design:
Design proposal
A principal is a entity / actor that can be authenticated by the server and has zero or more claims that are attributes of the principal. Examples for such attributes could be
authenticatedoruserid. To support different principal mechanisms (jwt, basic auth), diffrent PrincipalProvider may be implemented. A principal provider is responsible for extracting/building the principal of an incoming request and setting the principal for an outgoing request. The last class in the diagram is theAuthenticationHandlerwhich streamlines the veficication of an incoming request by providing a single method calledcheck.checkaccepts a request and a handler. The check method first extracts the principal from a request and then applies a logic to check if the request is authenticated. If so, thehandlermethod is called; otherwise an 401 is returned.