Ditto provides a flexible identity system to control which devices can participate in data synchronization, who they identify as (authentication), and what they can do (authorization). Ditto provides 3 authentication mechanisms: Online Playground, Online with Authentication, and Offline Shared Key.
authenticator
which will pass it to an authentication webhook. As the developer, you are responsible for writing code and deploying this webhook to an accessible URL. The authentication webhook will validate and decode the token from the client side and return identity and access control information back to your Ditto instance.
The full flow is detailed in the diagram below:
Example of a collection with user permissions
userID: "123abc"
has been authenticated ("authenticated": true
) and has the following permissions:write
to documents in the "books"
collection matching the query "_id.locationId == 'abcedef123456'"
.write
to any document in the "newspapers"
collection. This is done with the single-word query "true"
read
to documents in the "books"
collection matching the query "_id.locationId == 'abcedef123456'"
_id
field of a document.
You should ensure that you model your data so that all of the fields that you want to control access to are part of the _id
field.Complete a Peer Key Challenge
/_ditto/auth/cert
- this is a time-limited JWT which the client treats as opaque data.Log in with Credentials
Generating a shared key