| [[section-runtime-view]] |
| == Runtime View |
| |
| === Login and authentication |
| |
| The login and authentication process is as follows: |
| |
| .StatementPublicAffairs application is called by the *portal* application. The User is already logged in |
| [plantuml] |
| .... |
| actor User |
| participant PortalFrontend |
| participant PortalBackend |
| participant StatementPublicAffairsFrontend |
| entity FrontendAuthService |
| participant StatementPublicAffairsBackend |
| |
| User->PortalFrontend: Start StatementPublicAffairs(JWT) |
| PortalFrontend->StatementPublicAffairsFrontend: navigate to frontend-URL with JWT |
| StatementPublicAffairsFrontend->FrontendAuthService: Extract JWT and store token in session |
| ... some delay ... |
| StatementPublicAffairsFrontend->StatementPublicAffairsBackend: Call any secured service with JWT |
| group Call secured service |
| |
| StatementPublicAffairsBackend->PortalBackend: "/checkAut(JWT)" |
| group Authorization succeeded |
| StatementPublicAffairsBackend->StatementPublicAffairsBackend: run service |
| StatementPublicAffairsBackend->StatementPublicAffairsFrontend: return service result |
| end |
| group Authorization failed |
| StatementPublicAffairsBackend->StatementPublicAffairsFrontend: return HTTP Code 401 |
| end |
| end |
| .... |
| |
| The user authenticates himself via the openKONSEQUENZ Portal Application (AuthNAuth). In that SSO (single sign on) process, he returns a JWT (JSON Web Token) that can be used as a authentication token for all other openKONSEQUENZ applications. The front-end application provides the token for all HTTPS requests at the module back-end. There it is verified against the AuthNAuth module. Furher request specific authorization processes then use the roles appended in the verified token for the authorization mechanism. |
| |