Authentication

The authentication service is responsible for verifying users. The auth service, hot storage, and cold storage all share the user concept. A user is a uuid, and the owner of the data it has stored in the storages.

When a user requests data from the storages, it must pass its user ID and access token. The storages then ask the auth service to verify that the access token belongs to the user, and only then return the requested data.

The authentication service supports two types of authentication:

• First-party authentication: The authentication service provided by Openfort.
• Third-party authentication: An authentication service provided by an external provider such as Google, Apple, or GitHub.

In both cases, the hot and cold storages expect a JWT token to be passed in the Authorization header or in a cookie field specified on the request itself.

First-party authentication

In this model, the implementer is fully responsible for user authentication. The current model uses email/password authentication.

Third-party authentication

Third-party authentication relies on OAuth 2.0 or OpenID Connect to verify user identities. Once the user authenticates, the third-party provider returns an access token. Rather than giving this token directly to users, implementers should map it to a new token generated by the authentication service (not the third party) and pass this token instead. This ensures users have access to the Keys service but can't impersonate the auth service.