Document design

[Auwate]

Description

This is the design document for the authentication microservice. It follows the OAuth 2.0 framework, thus following many of the grants and terminology outlined there.

API Specification

The overall flow for the system for authentication and authorization should follow this:

User Authentication system

/auth/login - Authorization Code Grant

• For user login
  • 1: User provides credentials
  • 2: Frontend hits /auth/login
  • 3: Auth authenticates, provides an authorization code
  • 4: Frontend then hits /oauth/token, trading authorization code for refresh/access tokens

/auth/register - User Registration

• For user registration
  • 1: User clicks register
  • 2: User provides credentials
  • 3: Frontend hits /auth/register
  • 4: Auth sends a 200 message
  • 5: Frontend then hits /auth/login
  • 6: Auth authenticates, provides an authorization code
  • 7: Frontend hits /oauth/token, trading code for refresh/access tokens

/auth/logout - User logout

• For logging out
  • 1: User clicks log out
  • 2: Frontend hits /auth/logout
  • 3: (Later) Auth will remove session cookie from database
  • 4: Frontend removes refresh token from cookies and delete access token variable

/auth/password/reset - User resets password

• For password reset
  • To be implemented with 2FA

Microservice Authentication

/oauth/token - Client Credentials Grant

• Microservices provide the grant as a parameter with their client_id and secret_key.