The iDDS currently supports both x509_proxy and oidc based authroization.
x509_proxy based authorization is the default authorization method for iDDS. It’s implemented mainly based mod_ssl and mod_gridsite.
The iDDS OIDC authorization is based on the IAM service. Here are the steps for token initialization:
- Get sign url: Get a sign url with a device code for users to approve.
- User goes to the IAM service and approves the token request with the sign url.
- Get the token with the device code.
- The iDDS OIDC authorization service also includes services such as token refresh, token clean, token information checks and so on.
For normal iDDS requests, here are steps how iDDS authorize a users.
- User initializes a normal request.
- iDDS automatically finds the token and loads the token to headers of the http request.
- Send the request to iDDS REST server.
- iDDS server parse the token and verify the token against the IAM server. Verified users will be authorized.