Mindbreeze GmbH, A-4020 Linz, 2020.
All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.
These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.
For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.
With trusted peer authentication, it is possible to send the user name used for the authorization check of the search results along with the query. In order to prevent a user from searching in the name of another user, the caller must provide proof that he or she can be trusted.
There are two ways to do this:
Trusted peer authentication can be used, for instance
In order for client services to be able to use trusted peer authentication, communication between client service and query service has to be secured using trusted peer authentication with certificates.
If certificates are used for the trust relationship between requester and service, the following conditions must be met:
Important: The CA certificate may only be used for the trust relationship. Each requester receives a client certificate signed with this CA certificate. This reduces the potential for improper use. For example, it is negligent to use the CA certificate that is used for SSL server certificates in the company, otherwise every SSL server certificate would be trusted.
For communication between client service and query service, a client certificate in PKCS #12 format and without password must be installed.
Only one CA certificate per installation can be used as a trusted peer certificate.
When authenticating with OAuth 2.0 bearer token, the OAuth server must be stored. Trusted peer authentication is only allowed for users who have been assigned a configured role. The individual configuration values are best obtained from your OAuth server administrator.
the OAuth Realm to be used; see your OAuth server for details
the OAuth resource to be used; details can be found on your OAuth server (in some OAuth servers also called client)
SSL Security for Communication with Auth Server
determines how the HTTPS connection to the Auth Server will be checked:
Role Trusted for Identity Delegation
Only users assigned to this role are allowed to perform trusted peer authentication.
The user name can be sent either as an HTTP header or in the request.
The user name is transmitted as HTTP header X-Auth-User.
Example of sending the user name as HTTP header
For api.v2 queries, the user name can be transmitted in the user_context.username property.
Example of sending the user name as part of an api.v2.search query
The option Trusted Peer Identity Extraction – Identity Extraction Order determines how the user name can be sent. The following options are available:
The user name is used if it is set in the X-Auth-User HTTP header. If not, the user name from the query is used.
The user name in the X-Auth-User HTTP header is used. The request will not be considered.
The user name from the query is used. The X-Auth-User HTTP header will not be considered.
If the user name is set in the query, it is used. If not, the user name from the X-Auth-user HTTP header is used.