If the Kerberos routine that performs the authorisation returns you the user name (id@REALM) you can permit or deny actions in your application code via some sort of application authorisation/permissions file.
If you prefer to further authenticate the user has an actual IBM i ID you can use the eimGetTargetFromSource API to lookup the target ID from the source ID and verify it exists and is enabled.
If you actually want to perform the function under the authority of the IBM i user you could potentially perform a profile switch to the user, do the work, then switch back. Or in the case of database operations through the IBM API you might want to make the connection to the database as the user, issue the requests then disconnect. I should imagine there would be overhead with both of these approaches and there may be issues with async type operations and blocking. You wouldn't want the node process to start servicing a request for another user whilst still switched to the previous.
It makes you realise how much Apache is doing for you as it can take care of all of this by itself.
Disclaimer. I'm a sysadmin, not a developer, so these are just my thoughts/suggestions on an approach and these may or may not be practical.
Mark
-----Original Message-----
From: OpenSource [mailto:opensource-bounces@xxxxxxxxxxxx] On Behalf Of Justin Taylor
Sent: 23 October 2017 17:37
To: IBMi Open Source Roundtable
Subject: Re: [IBMiOSS] Node in-house auth?
That should handle the authentication, but what about the authorization?
-----Original Message-----
From: Kevin [mailto:kevin@xxxxxxxxxxxxxx]
Sent: Saturday, October 21, 2017 9:49 AM
To: IBMi Open Source Roundtable <opensource@xxxxxxxxxxxx>
Subject: Re: [IBMiOSS] Node in-house auth?
I use the passport library(ies) for node.js authentication and there is a Kerberos offering too
https://www.npmjs.com/package/passport-negotiate
--
This is the IBMi Open Source Roundtable (OpenSource) mailing list To post a message email: OpenSource@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/opensource
or email: OpenSource-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
https://archive.midrange.com/opensource.
Consider the environment and think before you print this email.
________________________________
Proud partner of The Ageas Bowl.
This email has been sent by and on behalf of one or more of Ageas (UK) Limited (registered no: 1093301 ), Ageas Insurance Limited (registered no: 354568), Ageas Retail Limited (registered no: 1324965), or a subsidiary of Ageas (UK) Limited (together “Ageas UK”). Ageas UK companies are registered in England and Wales, and each entity’s registered office is Ageas House, Hampshire Corporate Park, Templars Way, Eastleigh SO53 3YA.
Ageas Retail Limited is authorised and regulated by the Financial Conduct Authority. Financial Services Register Number: 312468.
Ageas Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Financial Services Register Number: 202039
This e-mail together with any attachments are intended for the addressee only and may be private and confidential. If you are not the intended recipient, or the person responsible for delivering it to the intended recipient, you must not open any attachments, or copy, disclose, distribute, retain or use this e-mail, including any attachments, in any way whatsoever; please return it to us immediately using the reply facility on e-mail.
Consider the environment and think before you print this email.
As an Amazon Associate we earn from qualifying purchases.