Authentication

Authentication Flow Explanation

The authentication system supports multiple methods: direct credential login (username/password), OAuth, SAML, and potentially Single Sign-On (SSO) inferred from existing sessions.

Authentication Breakdown

1. Main Entry Point: The process starts with the login(credentials?) function in src/authentification/core.ts.
2. Credential Login: If credentials are provided, it calls getJWToken to authenticate against the /security.webtoken endpoint and stores the returned csrfToken in the session storage and the user is considered authenticated.
3. Automatic Flow (No Credentials):
   • It first tries to get a csrfToken via getCsrfToken (calling /challenge).
   • Failure: If no token is found (no active session), it checks configuration for autoOAuthProvider or autoSAMLProvider.
     • If configured, it calls tryOAuthAuthentication or trySAMLAuthentication, which get redirect URLs from /security.oauth or /security.saml respectively, and redirect the user to the corresponding provider.
     • If not configured, it prepares for UI-driven login.
   • Success: If a token is found, the user is considered authenticated (existing session).
4. SSO Check: In scenarios where neither credentials nor auto-redirects occurred initially, the system might try to fetch the current user's principal information fetchPrincipal to confirm an existing SSO session if other methods haven't already confirmed authentication.
5. Existing Token Check: It checks sessionStorage and localStorage for an existing token via getToken().
6. Logout: logout clears tokens from storage and calls deleteWebTokenCookie if applicable.
7. State Notification: An authenticated custom browser event is dispatched (emitAuthenticatedEvent) to signal login status changes.