...
When a user logs in his/her credentials are validated and if the validation is successful and an access token is generated. With the access token in hand, the client/UI requests current user permissions: IPSes or MPSes associated with his/her login credentials are expanded all the way down to atomic permissions and returned to the client/UI. This allows the client/UI to make decisions about whether or not to present access to certain operations. Every request from the client/UI , made on behalf of the current user , is rerouted by Okapi to the "authtoken" module. The "authtoken" module check checks validity of the user's access token, extracts his credentials from the token and performs a lookup for associated permissions, also expanded down to the atomic permissions. With permissions retrieved "authtoken" makes an immediate decision if the user request should be allowed to be delivered down to the handler module or rejected, based on the required permissions. If the request is allowed, desired permissions are encoded into a header and attached to the request. The handler module can then perform additional authorization based on the desired permissions.
...