confusa

Some extra features had to be implemented to support authentication via authorized OAuth access:

• Confusa’s own OAuth endpoint uses ConfusaAuth_IdP to authenticate the user. Thus, the same reauth and other constraints as elsewhere in Confusa apply.
• ConfusaAuth_IdP inserts an extra attribute, IdP into the set of attributes
• From that, Confusa’s OAuth authorize endpoint can get the NREN and its reauth-period
• Using Confusa’s own OAuth_DataStore the authorization endpoint can insert the authorized data (the attributes) with an access token lifetime corresponding the the NREN’s reauth-period.
• The reauth-period is inserted as its own data-entry into the OAuth_DataStore_Confusa record
• Upon authenticating the access to a RESTful resource, Confusa checks if the special reauth-period-attribute is stored along with the other attributes in the data-store to ensure that the validity of the access token is time-limited.

See the image below to illustrate the process: