You are viewing the documentation for Blueriq 16. Documentation for other versions is available in our documentation directory.
Using the Development Dashboard in combination with the JWT authentication provider works differently than other authentication providers. The JWT authentication provider is not the authenticating party as it is with the other providers. In case of JWT Authentication the Blueriq Gateway Service is the authenticating party and the JWT authentication provider it nothing more then an verification of the JWT tokens which are provided.
Starting an authenticated flow
Starting an authenticated flow with the JWT authentication provider enabled works differently. We will discuss both authentication flows when using the JWT authentication provider and without.
JWT authentication provider
Starting a flow with the JWT authentication provider is different. Instead of directly loading the Development Dashboard on the Runtime, we will load it through the Gateway Service.
All request flow through the Gateway. The Gateway is responsible for managing and storing the User Authentication. In the Diagram you can see that the Runtime still validates the authentication but in this scenario is it not responsible for display or doing anything with the authentication flow itself. For this reason the Runtime now is dependent on the Gateway to send a form of authentication along with the Proxy Request.
Other authentication providers
In the usual authentication flow a user starts a flow on the Development Dashboard and is then redirected to the Runtime's login page. Once logged in the user is able to start authenticated flows without further having to log in to the Runtime.
Authentication and Session
The Development Dashboard is packaged with the Runtime and this is convenient for starting authenticated flows. The Runtime stores its authentication state in a thing called the HTTP Session. This HTTP Session is applicable to all requests coming from the same domain and path.
domain <blueriq.com>, path </runtime>
When serving the Runtime and Development Dashboard under the URL https://blueriq.com/runtime the Runtime will distinguish that once a user is logged in for the domain blueriq.com and path /runtime it will then see that all following request are authenticated as well, until the user logs out of the Runtime.
Authorization responsibility
The Authorization responsibility for non JWT authentication providers lies with the Runtime itself. The Runtime is the single point that knows that users are authenticated (with a small exception for OpenID Connect). This has the consequence that every request must first go through the Runtime for it to build an HTTP Session to stores its authentication object.