Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • improved-skeleton
  • xsrf-token
3 results
Blame Permalink
authentication.md 3.14 KiB

Authentication service

Features

This service allows users to login to / logout from the Web Portal. Establishing an authenticated session is a prerequisite for managing user rights to restricted-access resources.

Dependencies

The service relies on

  • the API Gateway, in particular its Admin API;
  • external identity providers, which actually store user profiles and can verify user credentials. Despite being designed to potentially support different identity providers, in the present implementation only the Legacy AUTH Identity Provider is supported. A middleware was developed, so as to facilitate the interaction between this service and the Legacy AUTH Identity Provider.

authentication-service

Endpoints

This service provides five endpoints:

  1. A login endpoint per identity provider (just one in the present implementation, namely /login/legacy), allowing users to authenticate using a username/password pair. In case the identity provider confirms that user credentials are correct, a couple of cookies are set:

    1. an HTTP-only cookie including an access token, including in turn a JSON Web Token (JWT), signed by the API Gateway, namely Kong.
    2. a cookie including an XSRF token (generated as a version 4 UUID).

    Both the access token and the XSRF token are needed to issue authenticated requests. We refer the reader to a dedicated page for further information about security.

  2. A logout endpoint, /logout, which signs out the user by deprecating the cookie set by the login endpoint.

  3. An user info endpoint, allowing one to fetch an user profile.

  4. An user info update endpoint, /user/update allowing one to update an user profile.

  5. An health endpoint, /health, returning a 200 HTTP Status Code in case the service is healthy, 503 in the opposite case. For this service to be healthy, two conditions must be fulfilled:

Implementation

The service is implemented using the NestJS framework. We refer the reader to the NestJS-based micro-services page for further details concerning the latter framework and the features it provides.

TO FURTHER DEVELOP

  • What's the interplay between this service and Kong? Let's provide sequence diagrams!
  • How is the access token generated and signed?
  • What is the difference between the cookie expiration time and that of the JWT for the Legacy Middleware?