Authentication schemas that have to be tested:
private API:
basic authentication
basic authentication with impersonation (https://docs.alfresco.com/process-services1.8/topics/rest_api_authorization.html)
jwt bearer token authentication
public API:
authentication with cookies
[This comment has been reassigned to allreplies@alfresco.com as part of the Alfresco cloud migration project. The author of this comment was ctopala] Verified using https://bamboo.alfresco.com/bamboo/browse/ACT-ABS395-40
[This comment has been reassigned to allreplies@alfresco.com as part of the Alfresco cloud migration project. The author of this comment was ctopala] What do we think about the following scenario: when impersonating an user that doesn't exist in APS, the call goes through without any problems.
User1 exists in APS and Keycloak.
User2 exists only in APS.
User1 impersonates User2 to perform a Rest call.
This is probably an isolated case, as users will most likely be synced to APS, but in the remote case that an user exists only in APS and it's impersonated, do we want to block the impersonation or do we leave it as it is?
[This issue has been reassigned to allreplies@alfresco.com as part of the Alfresco cloud migration project. The reporter of this issue was rspatariu]