The Auth service performs all authentication and authorisation for Ocean, both internally between individual Ocean services and between services and external SSL clients such as user browsers. Authentication involves determining via username and password that the client is a known one. Only authenticated clients, ApiUsers, have access to the API. Authorisation is the process of determining whether authenticated ApiUsers have clearance to perform the specific REST API actions for which they are sending requests.
When services subsequently receive API requests from ApiUser clients, they will make a
GET request to the Auth service with an authorisation request for each and every operation they are about to perform. The Auth service in each separate case responds yes or no, and the requesting service proceeds accordingly.
An central and important part of the Ocean architecture is the aggressive HTTP caching built into the system. All Ocean API requests, external and internal, are cached. Ocean takes full advantage of this property. It is integral to the authorisation mechanism, as it makes authorisation requests extremely efficient and fast.
The authentication and authorisation mechanism was designed to meet multiple needs:
- To create a completely flexible authorisation system of ApiUsers, Groups, Roles, and Rights, with which any organisational structure could be represented,
- To enforce that all API requests are authenticated and authorised on a very fine-grained level,
- To implement authentication and authorisation within Ocean,
- To implement authentication and authorisation for all external clients,
- To allow logins and logouts to an unlimited number of distinct client sites to be implemented.
- Extreme scalability. Millions of users must be able authenticate simultaneously.
Ocean's authentication and authorisation system meets all these requirements. Authentication is completely noSQL and will scale to the limits of the data centre you're using.
Passwords are never stored in plaintext format and can never be retrieved even by the operators of the system. Internally, BCrypt is used for hashing passwords. They are irreversible, salted, and intentionally designed to be slow. The BCrypt algorithm has been around since 2001 and has never yet been cracked.
- The Service Resource
- the services available in the system, along with descriptions of the resources supported by them and their associated combinations of access rights.
- The Resource Resource
- the resources handled by a Service.
- The Right Resource
- describes an access right
- The Role Resource
- a combination of Rights which can be assigned to a Group or an ApiUser
- The Group Resource
- a group of Roles and Rights which can be assigned to an ApiUser
- The ApiUser Resource
- people and services for which to perform authentication and authorisation. ApiUsers can belong to any number of Groups and also have any number of individually assigned Roles.
- The Authentication Resource
- for authentication and authorisation