Auth Service

From Ocean Framework Documentation Wiki
Jump to: navigation, search

The Auth service performs all authentication and authorisation for Ocean, both internally between individual Ocean services and between services and external SSL clients such as user browsers. Authentication involves determining via username and password that the client is a known one. Only authenticated clients, ApiUsers, have access to the API. Authorisation is the process of determining whether authenticated ApiUsers have clearance to perform the specific REST API actions for which they are sending requests.

The Auth service manages ApiUsers and their assigned Roles and Groups and exposes a full REST API to allow any client to do so too, provided they have the required level of authorisation.

When services subsequently receive API requests from ApiUser clients, they will make a GET request to the Auth service with an authorisation request for each and every operation they are about to perform. The Auth service in each separate case responds yes or no, and the requesting service proceeds accordingly.

An central and important part of the Ocean architecture is the aggressive HTTP caching built into the system. All Ocean API requests, external and internal, are cached. Ocean takes full advantage of this property. It is integral to the authorisation mechanism, as it makes authorisation requests extremely efficient and fast.

Design goals

The authentication and authorisation mechanism was designed to meet multiple needs:

  1. To create a completely flexible authorisation system of ApiUsers, Groups, Roles, and Rights, with which any organisational structure could be represented,
  2. To enforce that all API requests are authenticated and authorised on a very fine-grained level,
  3. To implement authentication and authorisation within Ocean,
  4. To implement authentication and authorisation for all external clients,
  5. To allow logins and logouts to an unlimited number of distinct client sites to be implemented.
  6. Extreme scalability. Millions of users must be able authenticate simultaneously.

Ocean's authentication and authorisation system meets all these requirements. Authentication is completely noSQL and will scale to the limits of the data centre you're using.

Passwords are never stored in plaintext format and can never be retrieved even by the operators of the system. Internally, BCrypt is used for hashing passwords. They are irreversible, salted, and intentionally designed to be slow. The BCrypt algorithm has been around since 2001 and has never yet been cracked.

Resources

The Service Resource
the services available in the system, along with descriptions of the resources supported by them and their associated combinations of access rights.
The Resource Resource
the resources handled by a Service.
The Right Resource
describes an access right
The Role Resource
a combination of Rights which can be assigned to a Group or an ApiUser
The Group Resource
a group of Roles and Rights which can be assigned to an ApiUser
The ApiUser Resource
people and services for which to perform authentication and authorisation. ApiUsers can belong to any number of Groups and also have any number of individually assigned Roles.
The Authentication Resource
for authentication and authorisation

Authentication and Authorisation Sequence

File:AuthSeq.png

Resource and Class Structure

AuthClasses.png

Source

https://github.com/OceanDev/auth