Skip to content

Commit 34cb03b

Browse files
authored
Merge pull request #62 from DataDog/feat/add-login-ui
feat: add full OAuth2 flows and login UI
1 parent 7d71284 commit 34cb03b

82 files changed

Lines changed: 2841 additions & 1037 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

user-management/README.md

Lines changed: 79 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,46 @@
1-
# User Management Service
1+
# Stickerlandia User Management Service
22

3-
The User Management Service manages users. It provides one primary API:
3+
The **Stickerlandia User Management Service** is a comprehensive, cloud-native user authentication and management system built with .NET 8. It serves as a complete OAuth 2.0 authorization server and user management platform, designed with **platform adaptability** as a core principle to run seamlessly on Azure, AWS, or any cloud-agnostic container orchestrator.
44

5-
- **User Management API** (`/api/users/v1`) - Manages users and provides OAuth 2.0 endpoints for AuthN/Z
5+
## What This Application Does
6+
7+
The User Management Service provides a complete identity and access management solution for the Stickerlandia ecosystem:
8+
9+
### 🔐 **OAuth 2.0 Authorization Server**
10+
- Full OAuth 2.0 authorization server implementation using [OpenIddict](https://documentation.openiddict.com/)
11+
- Authorization Code Flow with PKCE support for frontend applications (SPAs, mobile apps)
12+
- Refresh token support for seamless user experience
13+
- Secure user authentication and authorization
14+
- Standard OAuth 2.0 endpoints: `/connect/authorize`, `/connect/token`, `/connect/logout`, `/connect/userinfo`
15+
16+
### 👥 **User Account Management**
17+
- User registration and profile management
18+
- ASP.NET Core Identity integration with custom user models
19+
- Account tiers and types support
20+
- Sticker tracking and gamification features
21+
- Self-service account updates
22+
23+
### 🚀 **Event-Driven Architecture**
24+
- Publishes user lifecycle events (registration, profile updates)
25+
- Processes external events (sticker claiming)
26+
- Implements outbox pattern for reliable event delivery
27+
- Platform-specific messaging: SNS/SQS (AWS), Service Bus (Azure), Kafka (Agnostic)
28+
29+
### 🌐 **Multi-Platform Support**
30+
- **Azure Native**: Azure Functions, Service Bus, PostgreSQL
31+
- **AWS Native**: Lambda functions, SNS/SQS, PostgreSQL
32+
- **Cloud Agnostic**: Kafka, PostgreSQL, containerized workers
33+
34+
### 📊 **Production-Ready Features**
35+
- Comprehensive health monitoring and observability
36+
- Structured logging and error handling (RFC 7807 Problem Details)
37+
- Static code analysis and quality enforcement
38+
- Full test coverage with platform-specific integration tests
39+
- Infrastructure as Code for AWS (CDK) and Azure (Terraform)
40+
41+
The service provides one primary API:
42+
43+
- **User Management API** (`/api/users/v1`) - RESTful API for user operations and OAuth 2.0 endpoints
644

745
## Architecture
846

@@ -46,20 +84,51 @@ The AWS native implementation of the user management service uses a combination
4684

4785
You can find the full [Open API specification in the docs folder](./docs/api.yaml).
4886

49-
## Features
50-
51-
- Register users
52-
- OIDC authorization code flow (frontend app) and client credentials flow (service->service)
53-
- Get and update user accounts
87+
## Key Features
88+
89+
### Authentication & Authorization
90+
- **OAuth 2.0 Authorization Server** - Complete implementation with OpenIddict
91+
- **Authorization Code Flow with PKCE** - Secure authentication for SPAs and mobile apps
92+
- **Refresh Token Support** - Seamless token refresh for better UX
93+
- **Multiple Scopes** - Support for `email`, `profile`, and `roles` scopes
94+
- **ASP.NET Core Identity Integration** - Robust user management with custom models
95+
96+
### User Management
97+
- **User Registration** - Self-service account creation with validation
98+
- **Profile Management** - Update user details, preferences, and settings
99+
- **Account Tiers & Types** - Support for different user account levels
100+
- **Sticker Gamification** - Track and manage user sticker collections
101+
- **Security** - JWT-based API authentication with proper access controls
102+
103+
### Platform Adaptability
104+
- **Multi-Cloud Support** - Deploy on Azure, AWS, or cloud-agnostic platforms
105+
- **Flexible Architecture** - Ports and adapters pattern for clean separation
106+
- **Event-Driven Design** - Reliable event publishing with outbox pattern
107+
- **Background Processing** - Platform-specific workers (Functions, Lambda, containers)
108+
109+
### Developer Experience
110+
- **.NET Aspire Integration** - Local development with different platform profiles
111+
- **Comprehensive Testing** - Unit and integration tests for all platforms
112+
- **API Documentation** - OpenAPI and AsyncAPI specifications
113+
- **Infrastructure as Code** - AWS CDK and Azure Terraform templates
54114

55115
## Events
56116

57117
You can find the full [Async API specification for events published and received in the docs folder](./docs/async_api.yaml)
58118

59119
## Authentication
60120

61-
All API endpoints (except `/health` and `/register`) require authentication via JWT token in the Authorization header.
62-
Access controls ensure users can only operate on their own accounts unless they have admin privileges.
121+
The service implements a complete OAuth 2.0 authorization server using [OpenIddict](https://documentation.openiddict.com/). For detailed authentication flows and integration guidance, see [Authentication Documentation](./docs/Auth.md).
122+
123+
### Quick Overview
124+
- **Endpoints**: Authorization (`/connect/authorize`), Token (`/connect/token`), Logout (`/connect/logout`), UserInfo (`/connect/userinfo`)
125+
- **Supported Flows**: Authorization Code with PKCE, Refresh Token
126+
- **Scopes**: `email`, `profile`, `roles`
127+
- **API Authentication**: JWT Bearer tokens required for all endpoints except `/health` and `/register`
128+
- **Access Control**: Users can only operate on their own accounts unless they have admin privileges
129+
130+
### For Client Applications
131+
To integrate with this OAuth 2.0 server, client applications should implement the Authorization Code Flow with PKCE. See the [Auth.md documentation](./docs/Auth.md) for sequence diagrams.
63132

64133
## Error Handling
65134

user-management/docs/Auth.md

Lines changed: 182 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,182 @@
1+
# Authentication Guide
2+
3+
This document provides comprehensive guidance on the OAuth 2.0 authentication flows supported by the Stickerlandia User Management Service.
4+
5+
## Overview
6+
7+
The Stickerlandia User Management Service implements a complete OAuth 2.0 authorization server using [OpenIddict](https://documentation.openiddict.com/), integrated with ASP.NET Core Identity for robust user management.
8+
9+
### Key Components
10+
- **Authorization Server**: OpenIddict-based OAuth 2.0 implementation
11+
- **Identity Provider**: ASP.NET Core Identity with PostgreSQL storage
12+
- **User Model**: Custom `PostgresUserAccount` extending `IdentityUser`
13+
- **Security**: PKCE (Proof Key for Code Exchange) for enhanced security
14+
15+
## OAuth 2.0 Endpoints
16+
17+
The service exposes standard OAuth 2.0 endpoints:
18+
19+
| Endpoint | URL | Purpose |
20+
|----------|-----|---------|
21+
| Authorization | `/api/users/v1/connect/authorize` | Initiate OAuth authorization flow |
22+
| Token | `/api/users/v1/connect/token` | Exchange authorization codes for tokens |
23+
| UserInfo | `/api/users/v1/connect/userinfo` | Retrieve user information using access token |
24+
| Logout | `/api/users/v1/connect/logout` | End user session |
25+
26+
## Supported Authentication Flows
27+
28+
### ✅ Authorization Code Flow with PKCE
29+
30+
**Primary flow for client applications** - Recommended for SPAs, mobile apps, and web applications.
31+
32+
**Features:**
33+
- Enhanced security with PKCE (Proof Key for Code Exchange)
34+
- Suitable for public clients (SPAs, mobile apps)
35+
- Supports refresh tokens for seamless user experience
36+
- Implements OpenID Connect for user identity
37+
38+
**Scopes Supported:**
39+
- `email` - Access to user email address
40+
- `profile` - Access to user profile information (name, account details)
41+
- `roles` - Access to user roles and permissions
42+
43+
### ✅ Refresh Token Flow
44+
45+
**Token refresh capability** - Extends user sessions without re-authentication.
46+
47+
**Features:**
48+
- Seamless token refresh without user interaction
49+
- Configurable token lifetimes
50+
- Automatic token rotation for enhanced security
51+
52+
### ❌ Client Credentials Flow
53+
54+
**Not Currently Implemented** - Service-to-service authentication can be implemented at a later date once service to service communication is required.
55+
56+
### ❌ Other Flows
57+
58+
The following OAuth 2.0 flows are **not supported** for security reasons:
59+
- **Implicit Flow** - Deprecated due to security vulnerabilities
60+
- **Resource Owner Password Credentials Flow** - Not recommended for modern applications
61+
62+
## Authentication Flow Diagrams
63+
64+
### Authorization Code Flow with PKCE
65+
66+
```mermaid
67+
sequenceDiagram
68+
participant U as User
69+
participant C as Client App
70+
participant B as Browser
71+
participant AS as Auth Server
72+
participant RS as Resource Server (API)
73+
74+
Note over C,AS: 1. Client prepares PKCE parameters
75+
C->>C: Generate code_verifier (random string)
76+
C->>C: Generate code_challenge = SHA256(code_verifier)
77+
78+
Note over U,AS: 2. Authorization Request
79+
U->>C: Click "Login"
80+
C->>B: Redirect to /api/users/v1/connect/authorize?<br/>response_type=code&<br/>client_id=spa-client&<br/>redirect_uri=https://app.com/callback&<br/>scope=email profile&<br/>code_challenge=xyz&<br/>code_challenge_method=S256&<br/>state=random-state
81+
B->>AS: GET /api/users/v1/connect/authorize
82+
83+
Note over AS,B: 3. User Authentication & Consent
84+
AS->>B: Show login page
85+
U->>B: Enter credentials
86+
B->>AS: POST login credentials
87+
AS->>AS: Validate user credentials
88+
AS->>B: Show consent page (if required)
89+
U->>B: Grant permissions
90+
B->>AS: POST consent approval
91+
92+
Note over AS,C: 4. Authorization Response
93+
AS->>B: Redirect to callback?<br/>code=auth-code-123&<br/>state=random-state
94+
B->>C: Follow redirect with authorization code
95+
96+
Note over C,AS: 5. Token Exchange
97+
C->>AS: POST /api/users/v1/connect/token<br/>grant_type=authorization_code&<br/>code=auth-code-123&<br/>client_id=spa-client&<br/>code_verifier=original-verifier&<br/>redirect_uri=https://app.com/callback
98+
AS->>AS: Validate code_verifier against code_challenge
99+
AS->>C: Return tokens:<br/>{<br/> "access_token": "...",<br/> "refresh_token": "...",<br/> "id_token": "...",<br/> "token_type": "Bearer",<br/> "expires_in": 3600<br/>}
100+
101+
Note over C,RS: 6. Access Protected Resources
102+
C->>RS: GET /api/users/v1/details<br/>Authorization: Bearer access-token
103+
RS->>RS: Validate JWT token
104+
RS->>C: Return user data
105+
```
106+
107+
### User Registration Flow
108+
109+
```mermaid
110+
sequenceDiagram
111+
participant U as User
112+
participant C as Client App
113+
participant AS as Auth Server
114+
participant DB as Database
115+
participant ES as Event System
116+
117+
Note over U,DB: User Registration Process
118+
U->>C: Fill registration form
119+
C->>AS: POST /api/users/v1/register<br/>{<br/> "email": "user@example.com",<br/> "password": "secure-password",<br/> "firstName": "John",<br/> "lastName": "Doe"<br/>}
120+
121+
AS->>AS: Validate input data
122+
AS->>AS: Hash password
123+
AS->>DB: Create user record
124+
DB->>AS: Confirm user created
125+
126+
AS->>ES: Publish userRegistered.v1 event<br/>(via outbox pattern)
127+
AS->>C: Return 201 Created<br/>{<br/> "userId": "user-123",<br/> "email": "user@example.com"<br/>}
128+
129+
Note over ES: Background Processing
130+
ES->>ES: Process outbox events
131+
ES->>ES: Send welcome email
132+
ES->>ES: Initialize user preferences
133+
134+
C->>U: Show registration success
135+
C->>U: Redirect to login
136+
```
137+
138+
### Token Refresh Flow
139+
140+
```mermaid
141+
sequenceDiagram
142+
participant C as Client App
143+
participant AS as Auth Server
144+
participant RS as Resource Server
145+
146+
Note over C,AS: Token Refresh Process
147+
C->>RS: API Request with expired token
148+
RS->>C: 401 Unauthorized (token expired)
149+
150+
C->>C: Check if refresh token available
151+
C->>AS: POST /api/users/v1/connect/token<br/>grant_type=refresh_token&<br/>refresh_token=refresh-token-123&<br/>client_id=spa-client
152+
153+
AS->>AS: Validate refresh token
154+
AS->>AS: Generate new tokens
155+
AS->>C: Return new tokens:<br/>{<br/> "access_token": "new-access-token",<br/> "refresh_token": "new-refresh-token",<br/> "token_type": "Bearer",<br/> "expires_in": 3600<br/>}
156+
157+
C->>C: Store new tokens
158+
C->>RS: Retry API request with new token<br/>Authorization: Bearer new-access-token
159+
RS->>C: 200 OK with data
160+
```
161+
162+
### Logout Flow
163+
164+
```mermaid
165+
sequenceDiagram
166+
participant U as User
167+
participant C as Client App
168+
participant AS as Auth Server
169+
participant DB as Database
170+
171+
Note over U,DB: User Logout Process
172+
U->>C: Click "Logout"
173+
C->>AS: POST /api/users/v1/connect/logout<br/>id_token_hint=user-id-token&<br/>post_logout_redirect_uri=https://app.com/logged-out
174+
175+
AS->>DB: Revoke user session
176+
AS->>DB: Invalidate refresh tokens
177+
DB->>AS: Confirm tokens revoked
178+
179+
AS->>C: Redirect to post_logout_redirect_uri
180+
C->>C: Clear local tokens
181+
C->>U: Show "Logged out successfully"
182+
```

0 commit comments

Comments
 (0)