Just looking at the epic dependencies I think this is going to be
important as otherwise there is a risk that design of APIs around
identity store could precede authentication mechanisms API design and
the store design phase not have full access to the requirements.
On 31/03/15 16:56, Darran Lofthouse wrote:
> Reviewing the JSR-375 scope documentation I am just thinking before the
> end of "Terminology" and before the commencement of "API for
> Authentication Mechanism" should we spend some time covering the
> different general approaches to authentication?
>
> I think a lot is discussed in terms of HTTP but that is not the only
> entry to an application server for the purpose of invocation.
>
> Within HTTP we have authentication that can occur and be associated with
> a session, there are then authentication mechanisms that continue to
> send challenge responses with each subsequent request. We also have SSO
> based authentication where there could be a different lifecycle to the
> underlying session.
>
> Then for non-HTTP we have a range from authentication on establishing a
> connection to the server through to authentication associated with a
> specific invocation.
>
> Regards,
> Darran Lofthouse.