Proxying authentication is distinct from Identity Mediation, in that it runs a request from a logical context A such as a frontend user session calling back for all of the current session user's courses and constructs a request to the same end (retrieve that user's course information) using more privileged access to another logical context B (such as the LMS containing those courses). This addresses two issues:

1. Access to the LMS credentials should not be given to the frontend
2. The frontend should not be trusted to ask for the right user's information

A proxied authentication pattern therefore relies on two main corresponding elements:

1. A fully configured connection to the LMS enabling access for ALL relevant user information
2. A non-tamperable mechanism of identifying the user holding the frontend session

There are many well established patterns to achieve 2 such as JSON Web Tokens. When connected to the Pathify portal, Flow is empowered with a convenient shortcut, in which it can check the portal session directly against the session cookies, since the two systems are deployed under the same domain.

Because of backwards compatibility commitments, this shortcut is published as the Stream Processor Campus Cookie Validator, also aliased as the Pathify Cookie Validator.