User Authentication Flow

This authentication flow is for interactive users. If you're using a service account, use Bearer authentication with the token.

  1. Client sends an init request. This can be either:
    1. AuthStep::Init which just includes the username, or
    2. AuthStep::Init2 which can request a "privileged" session
  2. The server responds with a list of authentication methods. (AuthState::Choose(Vec<AuthAllowed>))
  3. Client requests auth with a method (AuthStep::Begin(AuthMech))
  4. Server responds with an acknowledgement (AuthState::Continue(Vec<AuthAllowed>)). This is so the challenge can be included in the response, for Passkeys or other challenge-response methods.
    • If required, this challenge/response continues in a loop until the requirements are satisfied. For example, TOTP and then Password.
  5. The result is returned, either:
    • Success, with the User Auth Token as a String.
    • Denied, with a reason as a String.
KanidmClientKanidmClient"I'm Ferris and I want to start auth!""You can use the following methods"I want to use this mechanismOk, you can do that.Here is my credentialKanidm validates the Credential, and if more methods are required, return them.If there's no more credentials required, break the loop.loop[Authentication Checks]If Successful, return the auth tokenIf Failed, return that and a message why.AuthStep::Init(username)1AuthState::Choose(Vec<AuthAllowed>)2AuthStep::Begin(AuthMech)3AuthState::Continue(Vec<AuthAllowed>)4AuthStep::Cred(AuthCredential)5AuthState::Continue(Vec<AuthAllowed>)6AuthState::Success(String Token)7AuthState::Denied(String Token)8