|
| 1 | +# Authentication Guide |
| 2 | + |
| 3 | +This document provides comprehensive guidance on the OAuth 2.0 authentication flows supported by the Stickerlandia User Management Service. |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +The Stickerlandia User Management Service implements a complete OAuth 2.0 authorization server using [OpenIddict](https://documentation.openiddict.com/), integrated with ASP.NET Core Identity for robust user management. |
| 8 | + |
| 9 | +### Key Components |
| 10 | +- **Authorization Server**: OpenIddict-based OAuth 2.0 implementation |
| 11 | +- **Identity Provider**: ASP.NET Core Identity with PostgreSQL storage |
| 12 | +- **User Model**: Custom `PostgresUserAccount` extending `IdentityUser` |
| 13 | +- **Security**: PKCE (Proof Key for Code Exchange) for enhanced security |
| 14 | + |
| 15 | +## OAuth 2.0 Endpoints |
| 16 | + |
| 17 | +The service exposes standard OAuth 2.0 endpoints: |
| 18 | + |
| 19 | +| Endpoint | URL | Purpose | |
| 20 | +|----------|-----|---------| |
| 21 | +| Authorization | `/api/users/v1/connect/authorize` | Initiate OAuth authorization flow | |
| 22 | +| Token | `/api/users/v1/connect/token` | Exchange authorization codes for tokens | |
| 23 | +| UserInfo | `/api/users/v1/connect/userinfo` | Retrieve user information using access token | |
| 24 | +| Logout | `/api/users/v1/connect/logout` | End user session | |
| 25 | + |
| 26 | +## Supported Authentication Flows |
| 27 | + |
| 28 | +### ✅ Authorization Code Flow with PKCE |
| 29 | + |
| 30 | +**Primary flow for client applications** - Recommended for SPAs, mobile apps, and web applications. |
| 31 | + |
| 32 | +**Features:** |
| 33 | +- Enhanced security with PKCE (Proof Key for Code Exchange) |
| 34 | +- Suitable for public clients (SPAs, mobile apps) |
| 35 | +- Supports refresh tokens for seamless user experience |
| 36 | +- Implements OpenID Connect for user identity |
| 37 | + |
| 38 | +**Scopes Supported:** |
| 39 | +- `email` - Access to user email address |
| 40 | +- `profile` - Access to user profile information (name, account details) |
| 41 | +- `roles` - Access to user roles and permissions |
| 42 | + |
| 43 | +### ✅ Refresh Token Flow |
| 44 | + |
| 45 | +**Token refresh capability** - Extends user sessions without re-authentication. |
| 46 | + |
| 47 | +**Features:** |
| 48 | +- Seamless token refresh without user interaction |
| 49 | +- Configurable token lifetimes |
| 50 | +- Automatic token rotation for enhanced security |
| 51 | + |
| 52 | +### ❌ Client Credentials Flow |
| 53 | + |
| 54 | +**Not Currently Implemented** - Service-to-service authentication can be implemented at a later date once service to service communication is required. |
| 55 | + |
| 56 | +### ❌ Other Flows |
| 57 | + |
| 58 | +The following OAuth 2.0 flows are **not supported** for security reasons: |
| 59 | +- **Implicit Flow** - Deprecated due to security vulnerabilities |
| 60 | +- **Resource Owner Password Credentials Flow** - Not recommended for modern applications |
| 61 | + |
| 62 | +## Authentication Flow Diagrams |
| 63 | + |
| 64 | +### Authorization Code Flow with PKCE |
| 65 | + |
| 66 | +```mermaid |
| 67 | +sequenceDiagram |
| 68 | + participant U as User |
| 69 | + participant C as Client App |
| 70 | + participant B as Browser |
| 71 | + participant AS as Auth Server |
| 72 | + participant RS as Resource Server (API) |
| 73 | +
|
| 74 | + Note over C,AS: 1. Client prepares PKCE parameters |
| 75 | + C->>C: Generate code_verifier (random string) |
| 76 | + C->>C: Generate code_challenge = SHA256(code_verifier) |
| 77 | +
|
| 78 | + Note over U,AS: 2. Authorization Request |
| 79 | + U->>C: Click "Login" |
| 80 | + C->>B: Redirect to /api/users/v1/connect/authorize?<br/>response_type=code&<br/>client_id=spa-client&<br/>redirect_uri=https://app.com/callback&<br/>scope=email profile&<br/>code_challenge=xyz&<br/>code_challenge_method=S256&<br/>state=random-state |
| 81 | + B->>AS: GET /api/users/v1/connect/authorize |
| 82 | +
|
| 83 | + Note over AS,B: 3. User Authentication & Consent |
| 84 | + AS->>B: Show login page |
| 85 | + U->>B: Enter credentials |
| 86 | + B->>AS: POST login credentials |
| 87 | + AS->>AS: Validate user credentials |
| 88 | + AS->>B: Show consent page (if required) |
| 89 | + U->>B: Grant permissions |
| 90 | + B->>AS: POST consent approval |
| 91 | +
|
| 92 | + Note over AS,C: 4. Authorization Response |
| 93 | + AS->>B: Redirect to callback?<br/>code=auth-code-123&<br/>state=random-state |
| 94 | + B->>C: Follow redirect with authorization code |
| 95 | +
|
| 96 | + Note over C,AS: 5. Token Exchange |
| 97 | + C->>AS: POST /api/users/v1/connect/token<br/>grant_type=authorization_code&<br/>code=auth-code-123&<br/>client_id=spa-client&<br/>code_verifier=original-verifier&<br/>redirect_uri=https://app.com/callback |
| 98 | + AS->>AS: Validate code_verifier against code_challenge |
| 99 | + AS->>C: Return tokens:<br/>{<br/> "access_token": "...",<br/> "refresh_token": "...",<br/> "id_token": "...",<br/> "token_type": "Bearer",<br/> "expires_in": 3600<br/>} |
| 100 | +
|
| 101 | + Note over C,RS: 6. Access Protected Resources |
| 102 | + C->>RS: GET /api/users/v1/details<br/>Authorization: Bearer access-token |
| 103 | + RS->>RS: Validate JWT token |
| 104 | + RS->>C: Return user data |
| 105 | +``` |
| 106 | + |
| 107 | +### User Registration Flow |
| 108 | + |
| 109 | +```mermaid |
| 110 | +sequenceDiagram |
| 111 | + participant U as User |
| 112 | + participant C as Client App |
| 113 | + participant AS as Auth Server |
| 114 | + participant DB as Database |
| 115 | + participant ES as Event System |
| 116 | +
|
| 117 | + Note over U,DB: User Registration Process |
| 118 | + U->>C: Fill registration form |
| 119 | + C->>AS: POST /api/users/v1/register<br/>{<br/> "email": "user@example.com",<br/> "password": "secure-password",<br/> "firstName": "John",<br/> "lastName": "Doe"<br/>} |
| 120 | + |
| 121 | + AS->>AS: Validate input data |
| 122 | + AS->>AS: Hash password |
| 123 | + AS->>DB: Create user record |
| 124 | + DB->>AS: Confirm user created |
| 125 | + |
| 126 | + AS->>ES: Publish userRegistered.v1 event<br/>(via outbox pattern) |
| 127 | + AS->>C: Return 201 Created<br/>{<br/> "userId": "user-123",<br/> "email": "user@example.com"<br/>} |
| 128 | + |
| 129 | + Note over ES: Background Processing |
| 130 | + ES->>ES: Process outbox events |
| 131 | + ES->>ES: Send welcome email |
| 132 | + ES->>ES: Initialize user preferences |
| 133 | + |
| 134 | + C->>U: Show registration success |
| 135 | + C->>U: Redirect to login |
| 136 | +``` |
| 137 | + |
| 138 | +### Token Refresh Flow |
| 139 | + |
| 140 | +```mermaid |
| 141 | +sequenceDiagram |
| 142 | + participant C as Client App |
| 143 | + participant AS as Auth Server |
| 144 | + participant RS as Resource Server |
| 145 | +
|
| 146 | + Note over C,AS: Token Refresh Process |
| 147 | + C->>RS: API Request with expired token |
| 148 | + RS->>C: 401 Unauthorized (token expired) |
| 149 | + |
| 150 | + C->>C: Check if refresh token available |
| 151 | + C->>AS: POST /api/users/v1/connect/token<br/>grant_type=refresh_token&<br/>refresh_token=refresh-token-123&<br/>client_id=spa-client |
| 152 | + |
| 153 | + AS->>AS: Validate refresh token |
| 154 | + AS->>AS: Generate new tokens |
| 155 | + AS->>C: Return new tokens:<br/>{<br/> "access_token": "new-access-token",<br/> "refresh_token": "new-refresh-token",<br/> "token_type": "Bearer",<br/> "expires_in": 3600<br/>} |
| 156 | + |
| 157 | + C->>C: Store new tokens |
| 158 | + C->>RS: Retry API request with new token<br/>Authorization: Bearer new-access-token |
| 159 | + RS->>C: 200 OK with data |
| 160 | +``` |
| 161 | + |
| 162 | +### Logout Flow |
| 163 | + |
| 164 | +```mermaid |
| 165 | +sequenceDiagram |
| 166 | + participant U as User |
| 167 | + participant C as Client App |
| 168 | + participant AS as Auth Server |
| 169 | + participant DB as Database |
| 170 | +
|
| 171 | + Note over U,DB: User Logout Process |
| 172 | + U->>C: Click "Logout" |
| 173 | + C->>AS: POST /api/users/v1/connect/logout<br/>id_token_hint=user-id-token&<br/>post_logout_redirect_uri=https://app.com/logged-out |
| 174 | + |
| 175 | + AS->>DB: Revoke user session |
| 176 | + AS->>DB: Invalidate refresh tokens |
| 177 | + DB->>AS: Confirm tokens revoked |
| 178 | + |
| 179 | + AS->>C: Redirect to post_logout_redirect_uri |
| 180 | + C->>C: Clear local tokens |
| 181 | + C->>U: Show "Logged out successfully" |
| 182 | +``` |
0 commit comments