Overview
The security mechanisms of the Warp 10 platform are based on the use of cryptographic tokens. Those tokens are unrelated to any notion of user or group.
When deploying Warp 10 in an existing IT environment, there may be a need to use authentication systems already in place. To enable this, version 2.0 of Warp 10 added the notion of Authentication Plugins. An authentication plugin provides a way to convert an authentication string into a read or write token that Warp 10 can understand.
Implementation
Technically an authentication plugin is a Java class implementing the interface io.warp10.continuum.AuthenticationPlugin
which has two methods, extractReadtoken
and extractWriteToken
.
extractReadtoken
This method analyzes its parameter string and determines if it is a valid read token for the authentication scheme the plugin supports. If so it generates an internal Warp 10 Read Token and returns it. If the read token is of the supported scheme but invalid, the method should throw a WarpScriptException
. And lastly, if the token is not of a type supported by the authentication plugin, the method must return null
.
extractWriteToken
This method behaves in a way similar to extractReadToken
except it generates a Warp 10 Write Token if its parameter sting is valid for the authentication scheme of the plugin. If the token is of an unsupported type, the method must return null
. If the parameter is a supported scheme but the token is invalid, a WarpScriptException
should be returned.
Example
The AutheExampleWarp10Plugin skeleton class gives you a base for your own Authentication Plugin.
The Macaroons Authentication Plugin by Clever Cloud is also a good starting point.
Registering an authentication plugin
An Authentication Plugin is a regular Warp 10 Plugin and as such is registered by adding a line of the form
warp10.plugin.myauth = my.package.AuthPluginClass
to the Warp 10 configuration file.
The extract...
methods of Authentication Plugins are called in order of the plugin registration (determined by the lexicographical order of the warp10.plugin.xxx
configuration keys). The call chain stops when a valid Warp 10 Token is returned.
If no Authentication Plugin returned a valid Warp 10 Token, the standard token extraction mechanisms are used.