Crunch customers who require their customers to have access to Crunch resources, but without having a stand alone Crunch account may wish to create a redirect service that will log in the user and then redirect them to specific Crunch pages. This way the user has a Crunch account, fully managed by the Crunch customer, but doesn't need to know the credentials, and does not have to enter credentials to log into Crunch. This system has certain limitations, outlined below, therefore, is useful only if a full OAuth provider is not available to do Single Sign On.
The One Time Redirect Authentication system is implemented by creating a redirect proxy service that
- accepts user requests for Crunch resources, and looks up user credentials
- executes a server-to-server authorization request to retrieve a one time password or token
- and then redirects the user to a special Crunch endpoint with that token
Then, when visiting Crunch
- Accepts requests on the special endpoint and authenticates the token
- Creates a full browser session for the user
- and redirects the user's browser to the final location as requested
This can be better described through the following Sequence Diagram:
For example, Example Company has developed Example Application, and directs users to Crunch to further analyze the underlying dataset. User click a link in the Example Application, that is handled by the redirect service, and then after a server-to-server exchange, redirects the user to Crunch with a One-Time Password to ensure the user is logged in, Crunch validates the token, then redirects the user to the Dataset Analysis page.