Skip to content

Commit

Permalink
Add basic auth flow diagrams (#5301)
Browse files Browse the repository at this point in the history
Signed-off-by: Peter Nied <[email protected]>
  • Loading branch information
peternied authored Dec 6, 2022
1 parent 67843d9 commit 21b82c2
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions sandbox/libs/authn/docs/auth_flow.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Authentication Flow

## Authentication from incoming requests

As requests are received by an OpenSearch node they need to be authenticated. Different modes can be supported such as Http Basic, Http Bearer, Kerberos, etc... these types of authentication are provided by the request source. OpenSearch will translate these into an AuthenticationToken which can be feed into `Subject.login(token)` which will attempt to authenticate the user with the configured authentication providers.

![Authentication Flow](https://user-images.githubusercontent.com/2754967/202580793-9aab17e0-9645-4216-bcee-efddc932940a.PNG)

The subject is associated for the lifetime of the request on that node. If the request will be sent to other nodes within the cluster, the authentication information will be attached with a generated access token no matter the AuthenticationToken that was used to authenticate the user. By including expiry on these tokens the exposure of the subjects permissions are greatly limited.

![AccessToken for inter-node communication](https://user-images.githubusercontent.com/2754967/202580773-9b0ab15f-834c-45dc-9faf-48e6b832f85e.PNG)

0 comments on commit 21b82c2

Please sign in to comment.