| Re: [higgins-dev] AuthN for an open context |
Jim,If I understand the scenario below, your middle-tier service is the Context Provider. In that case, each user authenticates with the Context Provider (via open), and the Provider then does whatever it needs to get to the LDAP data (which might mean passing the user's credentials to the LDAP directory). If this is correct, then I agree with Raj -- as far as the IdAS API is concerned, each user opens the Context; the Context Provider implementation is free to use some sort of long-lived connection with re-auth if it can, but it's under the covers as far as the IdAS user is concerned. But perhaps you mean that the middle-tier service is the one making requests to IdAS? In that case, the Context could be implemented so that multiple Contexts could share an existing long-lived back-end connection, and each could present its user's credentials (assuming one Context object is created for each open) as needed.
...Greg
To clarify the requirement, it's like this: A (middle-tier) service is being consumed by a number of users. As each user performs some action, the service must (ultimately) perform an LDAP bind operation as that user, then read that user's attributes (this should be done using a long-lived LDAP connection). That user's identity is the only one with permissions to read the required attributes. We want to do this with Higgins. You're right, this may not be the most common use-case, but it one we have. Other use-cases requiring the functionality include things like switching between superuser and anon on the same connection.