The security mechanisms of the Warp 10 platform are based on the use of cryptographic tokens. Those tokens are unrelated to any notion of user or group.

When deploying Warp 10 in an existing IT environment, there may be a need to use authentication systems already in place. To enable this, version 2.0 of Warp 10 added the notion of Authentication Plugins. An authentication plugin provides a way to convert an authentication string into a read or write token that Warp 10 can understand.


Technically an authentication plugin is a Java class implementing the interface io.warp10.continuum.AuthenticationPlugin which has two methods, extractReadtoken and extractWriteToken.


This method analyzes its parameter string and determines if it is a valid read token for the authentication scheme the plugin supports. If so it generates an internal Warp 10 Read Token and returns it. If the read token is of the supported scheme but invalid, the method should throw a WarpScriptException. And lastly, if the token is not of a type supported by the authentication plugin, the method must return null.


This method behaves in a way similar to extractReadToken except it generates a Warp 10 Write Token if its parameter sting is valid for the authentication scheme of the plugin. If the token is of an unsupported type, the method must return null. If the parameter is a supported scheme but the token is invalid, a WarpScriptException should be returned.


The AutheExampleWarp10Plugin skeleton class gives you a base for your own Authentication Plugin.

The Macaroons Authentication Plugin by Clever Cloud is also a good starting point.

Registering an authentication plugin

An Authentication Plugin is a regular Warp 10 Plugin and as such is registered by adding a line of the form

warp10.plugin.myauth = my.package.AuthPluginClass

to the Warp 10 configuration file.

The extract... methods of Authentication Plugins are called in order of the plugin registration (determined by the lexicographical order of the warp10.plugin.xxx configuration keys). The call chain stops when a valid Warp 10 Token is returned.

If no Authentication Plugin returned a valid Warp 10 Token, the standard token extraction mechanisms are used.