The authentication is based on http://passportjs.com. The current document describes how the system have to be configured to use the different authentication strategies provided by the platform.
{
...
"auth": {
"strategies": ["local", "mongo", "bearer", "mongo-ldap"],
"apiStrategies": ["basic-mongo", "basic-mongo-ldap", "bearer"]
}
}
The strategies
array contains the authentication strategies to be loaded by the application.
The application will go through all the authentication strategies until a valid
one is found for the current HTTP request.
Possible values are:
- local: Local configuration is defined in
./config/users.json
file. - mongo: Uses the User collection in mongodb.
- mongo-ldap: Connect to a LDAP server defined in the global configuration parameter (cf configuration for more details)
- The application will auto provision users on their first login.
- The current strategy allows to authenticate the user on a LDAP instance and to create a user instance on the storage layer (MongoDB).
- The LDAP connection settings are available per domain: A domain manager may be able to add multiple LDAP connection settings in its domain.
- The passport strategy will look at all the available LDAP settings and will try to authenticate the user based on its credentials using the LDAP authentication mechanisms.
The apiStrategies
array contains the authentication strategies to be loaded in order to authenticate direct requests to REST APIs (requests made by the application during a user session reuses that session's authentication).
The application will go through all the authentication strategies until a valid
one is found for the current HTTP request.
Possible values are:
- basic-mongo: HTTP Basic authentication using the User collection in mongodb.
- basic-mongo-ldap: HTTP Basic authentication using the same authentication strategy as the
mongo-ldap
above - bearer: OAuth2 authentication mechanism (cf REST API for more details)
OpenPaaS supports single sign-on, see single-sign-on.md for more details.