Per discussion with Rob, Simo, and Adam we're considering to make these changes:

1. For backward compatibility with curl or 3rd party apps, we should keep the existing authentication without session in /ipa/json and /ipa/xml.

2. For the UI we can use the sessions using different URIs:
   * /ipa/login for authentication
   * /ipa/session/json for the actual operations

3. If we modify the CLI later to use the sessions it will use the following URIs:
   * /ipa/login for authentication
   * /ipa/session/xml for the actual operations

Is this OK? How difficult is it to make the above changes?

We also want to tie the authorization to the sessions, so whenever the session expires the UI will reauthenticate using /ipa/login and then reload the authorization info in a separate operation using /ipa/session/json and then redraw the UI if necessary. This way we can keep the /ipa/login generic enough to be used by both XML and JSON clients.

I think the UI changes can be done separately, I'll open the tickets.

Endi S. Dewata

Freeipa-devel mailing list

Reply via email to