Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
Certain Realm implementations have access to a user's authorization information at login, but cannot access authorization info at a later point in time. For example, when authenticating to an external system, such as LDAP, the user's credentials are required to access the LDAP repository. Since Ki (rightly) does not hold onto the user's credentials after authentication, the only time that their authorization info can be obtained is at login.
This doesn't currently work well with Ki because Ki treats authentication and authorization as two separate steps, and does not allow the authorization info to be obtained at the time of login - nor does it allow the authorization info to be cached throughout the lifetime of a session.
Ki should add support for obtaining authorization info during the authentication process and caching them for the lifetime of a user's session.
For more information, see the following email thread that generated this issue:
http://markmail.org/thread/hw235pals5jmclgu