I’m presently attempting to implement my very own Authorization Server following the OAuth2 protocol PKCE circulate, coupled with my very own Identification Supplier. The concept is to have the ability to reuse the identical identification supplier throughout a number of SPA.
To get a clearer image I made a decision to attract a UML sequence diagram. This diagram particulars the totally different steps concerned within the authorization course of but in addition the authentication.
OAuth2-PKCE-Move – UML Sequence diagram
Behind the scene my thought was additionally to implement my very own Identification Supplier (IdP) to authenticate customers.
I nonetheless need to share some details about Authentication and session administration server aspect. I’m utilizing a JWT Token based mostly authentication system, that means stateless. Nonetheless, I would like to have the ability to strongly log off customers. To try this I’m gonna use a refresh token that my Authorization Server will retailer in a Redis “session retailer” DB. The latter is then stateful.
Relating to the Authentication itself, it is held by the IdP which is able to confirm customers credentials. The IdP hosts a login kind (merely an HTML web page that will probably be rendered). It is price saying that, in contrast to the login kind, the consent kind is hosted by the Authorization server for the reason that idea of “consent” is just associated to authorization.
Right here I include my questions :
What do you concentrate on the circulate proven within the diagram? I might positively admire any suggestions
I’ve tried to grasp the ideas of Identification Supplier and Authorization Server and the way they work together with one another. I’m not precisely certain who is meant to generate the tokens (entry and refresh). I might say it is the job of the Identification Supplier since token is about authentication? If that’s the case, it could imply that the a part of my diagram concentrating on the request/creation of the token is wrong : Authorization Server must request the token from the Identification Supplier, whereas now it is the Authorization Server itself which generates the token.
I inspected some net utility (google, github, stackoverflow) to see how they take care of their very own authentication system. Let’s use the instance of Stackoverflow. Once I select to log in utilizing my stackoverflow account I count on the appliance to speak with the Identification Supplier which is able to present the login kind. The login kind that’s used is the one from the web-application itself, which implies no redirection – we keep put, which is smart sure. Let’s go additional, think about I need to use Stackoverflow as “social login” for my utility. The Identification Server I might attain behind the Authorization Server to authenticate ought to be the identical because the one reached earlier when authenticating from Stackoverflow. I’m questioning what concretely an Identification Supplier is. Can or not it’s that the consumer utility itself performs as Identification Supplier (because it hosts the login kind)? Or is it simply an API that gives endpoints for authenticating and producing tokens?
Despite the fact that I feel I’ve obtained it what the idea of OAuth2 is, as you possibly can see the idea of Identification Supplier coupled with the Authorization Server is a bit complicated to me.
Btw, I did not point out that I’m implementing all of that in Go.
Thanks on your assist!