This chapter discribes the data flow for autorization and authentification by the UX-Framework. For autorization the machanismes provided by SDNC (SDNC-485) of the Application Authorization Framework Project are used. 

For Authentication ODL-AAA bundle is used. Please https://docs.opendaylight.org/en/stable-oxygen/user-guide/authentication-and-authorization-services.html#



@startuml
' Format
skinparam backgroundColor #fefefe
'skinparam handwritten true
skinparam roundcorner 15
skinparam databaseBorderColor #666666
skinparam databaseBackgroundColor #fefefe
skinparam databaseFontColor #666666
skinparam sequence {
    MessageAlign center
    ArrowColor #666666
    ArrowFontColor #666666
    ActorBorderColor #666666
    LifeLineBorderColor #666666
    LifeLineBackgroundColor #eeeeee
    
    ParticipantBorderColor #666666
    ParticipantBackgroundColor #ffffdd
    'ParticipantFontName Impact
    'ParticipantFontSize 17
    ParticipantFontColor #666666
    
    ActorBackgroundColor #ffffdd
    'ActorFontColor DeepSkyBlue
    'ActorFontSize 17
    'ActorFontName Aapex
}
title
  User Authentication and Authorization
end title
' Diagram
actor User
participant WebClient order 10
box " \nKaraf OpenDaylight SDN-R" #F7AA5A
  participant Jetty order 20
  participant AAFShiroRealm order 30
  participant CADIfilter order 40
end box
database Log order 50
participant AAF order 60
autonumber
group authentification
  User -> WebClient: uri:/odlux/index.html
  activate WebClient
  WebClient -> Jetty: Any request without token  
  activate Jetty
  Jetty  -> WebClient: Login view
  deactivate Jetty
  User -> WebClient: Provide credentials
  WebClient -> Jetty: uri:/oath2/token\nuser:password
  activate Jetty
  Jetty -> AAFShiroRealm
  
  activate AAFShiroRealm
  AAFShiroRealm -> AAF: authentificate
  activate AAF
  AAF -> AAFShiroRealm: authentificated:true|false
  deactivate AAF
  
  AAFShiroRealm -> Jetty
  deactivate AAFShiroRealm
  Jetty -> Log: Create log entry
  Jetty -> WebClient: 200 Ok:token |     \n401 Unauthorized
  deactivate Jetty
end
group http request
  User -> WebClient: Request some data
  WebClient -> Jetty: URI and token
  
  activate Jetty
  Jetty -> CADIfilter: verify tokenlmao
  deactivate Jetty
  
  activate AAF
  activate CADIfilter
  CADIfilter -> AAF: check access rights \nfor user and uri
  note right : To be checked: \nuser or group!
  deactivate CADIfilter
  
  AAF -> CADIfilter: true|false
  deactivate AAF
  
  activate CADIfilter
  CADIfilter -> Jetty: true|false
  deactivate CADIfilter
  
  activate Jetty
  Jetty -> WebClient: URI-response(200 Ok | \n401 Unauthorized)
  deactivate Jetty
end
deactivate WebClient
  
@enduml


Example

Token request:

curl -d 'grant_type=password&username=admin&password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U&scope=sdn' http://localhost:8181/oauth2/token

Token response:

{"access_token":"34e8340a-0d2f-3bc0-90eb-369a636dd6f2","token_type":"Bearer","expires_in":36000}


Default request:

curl -v -H "Authorization: Bearer 34e8340a-0d2f-3bc0-90eb-369a636dd6f2" http://localhost:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf


Please find more info:

https://docs.opendaylight.org/en/stable-oxygen/user-guide/authentication-and-authorization-services.html#

Related Jiras:

SDNC-584SDNC-648