Flexible authN between API-X and repository

[ajs6f]

CLAW is now using JWT for authentication, and a valve for Tomcat8 named Syn that accepts JWT. In order to use API-X together with CLAW as proposed here it is necessary to account for authN in API-X's interactions with the repository.

Am I right in supposing that the appropriate points at which to deal with such authN would be here and here?

[birkland]

Hi @ajs6f ,

I don't think either of those need updating. As mentioned in my recent comment to the CLAW issue, API-X would need to authenticate itself when maintaining its own internal state in registries it persists in Fedora. That's an interaction solely between API-X and Fedora, and API-X needs its own credentials if it wants to write to Fedora.

As far as the other referenced places in code, those are part of the mechanism of where API-X reverse-proxies requests from the client to Fedora. API-X is just a passive party here, and will dutifully pass along any authentication headers that happen to be in the http requests from the client, but otherwise doesn't care and isn't involved. So in theory, the client will provide whatever credentials it has/needs, and those will be proxied along unmodified to Fedora. Fedora then can allow or disallow the request in whatever way it sees fit.

[ajs6f]

Okay, that's fine by me! :) I had assumed that API-X routed all interaction with the repository via the same channels for simplicity/DRYness, but all I care about is indeed the actions initiated by API-X itself.