Platform Authentication

Jump to bottom Edit New page

basverweij edited this page Jul 26, 2015 · 14 revisions

The Off-Sync.com Platform provides integrated authentication for all apps exposed via the proxy.

With respect to authentication we distinguish three types of apps:

Apps without authentication (i.e. public web site);
Apps with simple authentication (i.e. web sites that requires a user to be logged in);
Apps with API authentication.

Apps with simple authentication

TODO:

authentication via session cookie
redirect to Off-Sync.com login page if not present
app must have callback handler for passing in the session id

Apps with API authentication

TODO:

authentication via app public/private key and session cookie
fine-grained authorization on commands and queries
- mapping from method+uri pattern -> command/query
- lookup of command/query permissions for logged in user + app combination

Authorizing API requests

Clients must add the X-Off-Sync-AppId and X-Off-Sync-Auth headers to API requests
The value of this header is: {{version}}.{{sessionId}}.{{timestamp}}.{{signature}}
- Version is the authentication header version (currently v1).
- Session Id is self-explanatory, can be empty for session-less requests (app-to-app).
- Timestamp is a Unix UTC timestamp in seconds.
- Signature is the Base64 encoded PSS-SHA1 signature of {{version}}.{{sessionId}}.{{timestamp}}.