Skip to content

Token Authentication for External Services

Adam edited this page Jan 24, 2014 · 2 revisions

In the large image solution pack viewing would fail when trying to access datastreams locked down via XACML. This was because the third party services of SeaDragon and Djatoka can not pass through the Drupal credentials to the requests they send to Fedora (Drupal->SeaDragon->Djatoka->Fedora).

The solution we use is token authentication. We proxy Fedora in Drupal where we can send the right credentials ourselves (Drupal->SeaDragon->Djatoka->Drupal->Fedora). The token identifies an allowed proxy event. The token has a timeout, a limited number of uses, and is limited to PID and DSID. XACML can be applied globaly so when the large image needs to display it's JP2 it always uses token authentication.

This is the relevant code for anyone needing to use the token authentication in another module:

// Get token to allow access to XACML protected datastreams.
// Always use token authentication in case there is a global policy.
module_load_include('inc', 'islandora', 'includes/islandora_authtokens');
$token = islandora_get_object_token($islandora_object->id, 'JP2', 2);
$jp2_url = url("islandora/object/{$islandora_object->id}/datastream/JP2/view",
  array(
    'absolute' => TRUE,
    'query' => array('token' => $token),
  ));

// Display large image
$viewer = islandora_get_viewer($jp2_url, 'islandora_large_image_viewers');

⚠️ This wiki is an archive for past meeting notes. For current minutes as well as onboarding materials, click here.

Clone this wiki locally