-
Sofia Papagiannaki authored
Pithos views no longer use the information stored in the PITHOS_ASTAKOS_COOKIE_NAME cookie for authenticating the user and authorizing access to the targeted resource. They acquire, instead, from the authentication server (astakos) a short-term token for accessing the specific resource. The general flow includes the following steps: 1. The user clicks on a resource to view its content. 2. The view requests an authorisation code from astakos by providing its identifier, the requested scope, and a redirection URI. 3. Astakos authenticates the user and since the pithos view is considered a trusted client grants the view's access request. 4. Astakos redirects the user-agent back to the view using the redirection URI provided earlier. The redirection URI includes an authorisation code. 5. The view requests an access token from astakos by including the authorisation code. The view also posts a pair of credentials used to authenticate itself with astakos and the redirection URI used to obtain the authorisation code for verification. 6. Astakos authenticates the view, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client. If valid, astakos responds back with an short-term access token. 7. The view exchanges with astakos the access token for the user information to whom the authorisation was granted. 8. The view responses with the resource contents if the user has access to the specific resource.
9c7b324e