Stateful authorization with ACP

This article helps you understand the concept of the stateful authorization and motivations behind its application. Also, you can find here a short instruction on how to enable this feature per IDP (identity provider) in the ACP admin portal.

Stateless authentication recap

Here’s how ACP supports the authentication flow in a nutshell:

  1. The user launches an application (with an OAuth client).
  2. To get access to APIs, the application requests a token from ACP.
  3. ACP calls IDP to enable the user to log in.
  4. The user gets authenticated.
  5. IDP responds to ACP with information including the user attribute.
  6. ACP maps the feedback data from IDP and issues a token.

Since ACP is stateless by default and caches no user’s data, it needs to call IDP every time the user wants to re-authenticate during one session to, for example, request another scope.

Stateful authorization with ACP

The stateful authorization feature allows to store the user’s authentication data, including the login status, locally in ACP. With this feature enabled, ACP can cache the user’s data and issue multiple tokens during one user’s session without re-authenticating the user.

With the stateful authorization, the efficiency of issuing tokens in ACP is significantly improved by minimizing latency and performance degradation related to repetitious calls to IDPs.

Dynamic auth flows

Recent trends in standards for the token-based access control show the inclination to the fine-grained token issuance and starts favoring short-lived tokens issued for a specific purpose.

The use of the stateful authorization is particularly vital in the context of dynamic authN/authZ flows. The dynamic flows, as opposed to traditional ones, can support multiple access tokens per client application’s session. In the traditional flows, the client requests a token when the user launches the app and continues with this token and its initial list of scopes. In the dynamic flows, during one session, the client application can requests multiple tokens: each for accessing a different application component. This so called intent-based authentication often supports online payment services and the use of dynamic scopes.

Enable the stateful authZ in ACP

Note

In ACP, the stateful authorization feature is disabled by default.

In the ACP portal, you can enable the stateful authorization per IDP and configure for how long the user’s data stay cached in ACP. To leant how to make this feature work in ACP, either see the video or study the instruction.

Video

Procedure

  1. Navigate to the ACP portal in your browser and log in as an admin.

  2. In the Workspace Directory, select a workspace that you want to configure.

  3. In the Overview landing page, select Identities from the sidebar.

  4. In the Identities view, select an identity provider (IDP) that you want to configure.

  5. In the Configuration view for the selected IDP, navigate to Advanced settings and select it to display the available settings.

  6. Select the Enable stateful context toggle.

  7. Set the time for keeping the user’s data cached in ACP.

    Note

    Set a non-zero value for the time. Otherwise, the feature gets disabled automatically.

  8. Select Save.

Further reading