Authentication

The authentication service is responsible for verifying users. The auth service, hot storage, and cold storage all share the user concept. A user is a uuid, and the owner of the data it has stored in the storages.

When a user requests data from the storages, it must pass it's user id and access token. The storages will then ask the auth service to verify that the access token belongs to the user, and only then will they return the requested data.

The authentication service should support two types of authentication:

• 1st Party Authentication: This is the authentication service provided by Openfort itself.
• 3rd Party Authentication: This is the authentication service provided by a third-party provider such as Google, Apple, or GitHub.

The authentication service should support two types of authentication: first party and third party.

In both cases, the hot and cold storages expect a JWT token to be passed in the Authorization header or in a cookie field specified on the request itsef..

First Party Authentication

In this model, the implementer is fully responsible for user authentication. The current model is based on email/password authentication, although it may be expandeded to support additional authentication methods, such as passkeys, in the future.

Third Party Authentication

Third party authentication relies on Oauth 2.0 or OpenID Connect to verify user identities. Once the user is authenticated, the third party provider will return an access token. Rather than give this token directly to the users, implementors should map it to a new token generated by the authentication service (not the third party) and pass this token instead; to ensure the user has access to the Keys service but can't impersonate the auth service.