Name

OpenXPKI::Server::Authentication

Description

This module is the top class of OpenXPKI's authentication framework. Every authentication method is implemented in an extra class but you only have to init this class and then you have to call login if you need an authentication. The XMl configuration and session handling is done via the servers global context.

Functions

new

is the constructor and accepts no parameters. If you call new then the complete configuration is loaded. This makes it possible to cash this object and to use login when it is required in a very fast way.

login_step

is the function which performs the authentication. Named parameters are STACK (the authentication stack to use) and MESSAGE (the message received by the service). It returns a triple (user, role, reply). The authentication is not finished until user and role are defined. Multiple calls can then be made until this state is achieved. Reply is the reply message that is to be sent to the user (i.e. a challenge, or the 'SERVICE_READY' message in case the authentication has been successful).

has_tenant_handler

Return true/false if the given role (default session role) has a tenant handler configured that needs to be used.

tenant_handler

Return the handler class that provides the filters and access restrictions for multi-tenant setups. Handlers are bound to a role, if you dont pass the role as parameter the value from the current session is used.

Configuration for tenant handlers is done in auth.roles:

    RA Operator:
        label: RA Operator
        # will load OpenXPKI::Server::AccessControl::Tenant::Base
        tenant:
            type: Base
    Local Registrar:
        label: Local Staff
        # will load OpenXPKI::Custom::TenantRules with "foo => bar"
        # passed to the constructor
        tenant:
            class: OpenXPKI::Custom::TenantRules
            foo: bar