Ask @puiterwijk, but we currently use cert authentication to authenticate users' requests to rida.
Rida then queries FAS directly to figure out if the user is in the packager group or not.
@puiterwijk has a new scheme of API keys that should allow us to 1) get rid of certs and 2) get rid of the query to FAS with an API key system he is setting up.
For this ticket, we should ping puiterwijk directly and figure out the appropriate code and configuration changes.
@puiterwijk says that this is standard OpenID Connect (OIDC) (which is an opinionated version of OAuth2).
We should look at "token introspection" for starters.
Just confirmed by asking @puiterwijk. We should still look at token introspection for OIDC to implement this.
@jkaluza changed the status to Closed
Closed
Login to comment on this ticket.