Auth is a centralized service that provides authentication and authorization capabilities for Lerian Studio's applications. Built on top of an Identity Provider (IdP), this service offers:

OAuth2/OIDC-compliant authentication flows
Token issuance, validation, and refresh capabilities
User information retrieval according to OIDC standards
Permission enforcement for resources
Performance optimization through caching mechanisms

Auth serves as a middleware between Lerian’s applications and the underlying authorization server, providing a unified interface for all authentication and authorization needs while adding caching capabilities to improve performance.

Authentication and Authorization Flow

Auth implements several key authentication and authorization flows:

Authentication Flow

Token Request
- Client applications request access tokens using either:
  - Password grant (username/password for interactive users)
  - Client credentials grant (for service-to-service authentication)
- The request is forwarded to the Identity Provider
- Access token, refresh token, and optional ID token are returned
Token Refresh
- Client applications use refresh tokens to obtain new access tokens
- The refresh token is validated via the Identity Provider
- A new access token is issued
Token Validation
- The access tokens are validated on protected resource access
- The results are cached for performance optimization
- Token claims are extracted to identify the subject

Authorization Flow

Permission Enforcement
- Client requests access to a resource with an action.
- The subject ID is extracted from the token.
- The policy engine determines if the subject has permission.
- The result is cached for performance.
- The authorization decision is returned.
User Policies Retrieval
- The client requests all policies for the authenticated user.
- The policy engine is queried for all permitted resources and actions.
- Policies are returned as a map of resources to the allowed actions.

User Information Flow

User Profile Retrieval
- The client requests user profile information.
- The access token is validated.
- User details are retrieved from the Identity Provider.
- OIDC-compliant user information is returned.

Logout Flow

User Logout
- Client sends logout request with ID token hint.
- The tokens are invalidated in the Identity Provider.
- Cache entries are invalidated.

API Overview

Auth provides secure identity management and access control for Lerian applications. APIs support:

Authentication and token lifecycle management.
Authorization and permission enforcement.
User information retrieval.

Access to the Auth APIs is secured by strict permission controls. For technical details on endpoints and usage, check the Auth APIs documentation.

Policy Structure

The policy tables store permissions using the following pattern:

Policy Rule (ptype='p'):

p, <role>, <resource>, <action>, allow, <note>

Example:

p, lerian/identity-editor-role, users, get, allow, lerian/identity-editor-permission

This grants the identity-editor-role permission to perform the GET action on the users resource.

Group Assignment (ptype='g'):

g, <user_id>, <role>

Example:

g, user123, lerian/identity-editor-role

This assigns the user with ID user123 to the identity-editor-role role.

Data Storage and Caching

Auth optimizes performance and security by leveraging a structured storage system and caching mechanisms:

Policy Management: Stores access control policies for users and services.
Token Introspection Cache: Caches token validation results to reduce redundant checks.
Permission Cache: Stores authorization decisions to improve response time.
User Policies Cache: Maintains a map of resources and actions for efficient access control.

Testing & Reliability

Auth undergoes continuous testing to maintain reliability and security. Tests cover:

Authentication and token validation flows
Access control enforcement
Performance and caching efficiency

Security assessments and monitoring ensure compliance with best practices and evolving security standards.