A internal referenced user can connect through the basic authorization mechanism. From the service S1, he gives to his credentials (login & password), and S1 gets an access token.
get /auth?idp=Thing_in&scopes=r1,r2,r3&domains=d1,d2,d3
header : Authorization : Basic [B64Encoded(login:pwd)]
- By default, if the idp are not specified, it should equal to Thing_in.
- By default, if the scopes are not specified, they should equal to [user.role].
- By default, if the domains are not specified, they should equal to [user.domains].
In fact, this command could be used with a tiTok allowing the renew or restriction of it. Then instead of header : Authorization : Basic [B64Encoded(login:pwd)] put header : Authorization : Bearer [tiTok].
The service S1 get a Thing'In Access Token by sending the Thing_in code and the basic auth. The Thing'in could validate the given credential. Once validated, Thing'in answers by a Thing'in JWT (TiTok). the non encoded JWT shall conatains a payload (the domain should be the registered user domain):
{
"jti": "9876543210",
"sub" : "235964564",
"externalid" : "g123456789",
"iat": epochtime,
"kid": key5879,
"exp": 436,
"scope" : ["r1", "r2", "r3"],
"domains": ["d1", "d2", "d3"]
}
To use the Thing'in API, S1 shall present this TiTok.
to summerize :