The Auth Plugin is a centralized service that provides authentication and authorization capabilities for Lerian Studio's applications. Built on top of an Identity Provider (IdP), this plugin offers:

OAuth2/OIDC-compliant authentication flows
Token issuance, validation, and refresh capabilities
User information retrieval according to OIDC standards
Permission enforcement for resources
Performance optimization through caching mechanisms

This plugin serves as a middleware between Lerian’s applications and the underlying authorization server, providing a unified interface for all authentication and authorization needs while adding caching capabilities to improve performance.

Authentication and Authorization Flow

The plugin implements several key authentication and authorization flows:

Authentication Flow

Token Request
- Client applications request access tokens using either:
  - Password grant (username/password for interactive users)
  - Client credentials grant (for service-to-service authentication)
- The plugin forwards the request to the Identity Provider
- Access token, refresh token, and optional ID token are returned
Token Refresh
- Client applications use refresh tokens to obtain new access tokens
- The plugin validates the refresh token via the Identity Provider
- A new access token is issued
Token Validation
- The access tokens are validated on protected resource access
- The results are cached for performance optimization
- Token claims are extracted to identify the subject

Authorization Flow

Permission Enforcement
- Client requests access to a resource with an action.
- The plugin extracts the subject ID from the token.
- The policy engine determines if the subject has permission.
- The result is cached for performance.
- The authorization decision is returned.
User Policies Retrieval
- The client requests all policies for the authenticated user.
- The plugin queries the policy engine for all permitted resources and actions.
- Policies are returned as a map of resources to allowed actions.

User Information Flow

User Profile Retrieval
- The client requests user profile information.
- The plugin validates the access token.
- User details are retrieved from the Identity Provider.
- OIDC-compliant user information is returned.

Logout Flow

User Logout
- Client sends logout request with ID token hint.
- Plugin invalidates tokens in the Identity Provider.
- Cache entries are invalidated.

API Overview

The Auth Plugin provides secure identity management and access control for Lerian applications. APIs support:

Authentication and token lifecycle management.
Authorization and permission enforcement.
User information retrieval.

Access to the Auth API is secured by strict permission controls. For technical details on endpoints and usage, check the Auth API documentation.

Policy Structure

The policy tables store permissions using the following pattern:

Policy Rule (ptype='p'):

p, <role>, <resource>, <action>, allow, <note>

Example:

p, lerian/identity-editor-role, users, get, allow, lerian/identity-editor-permission

This grants the identity-editor-role permission to perform the GET action on the users resource.

Group Assignment (ptype='g'):

g, <user_id>, <role>

Example:

g, user123, lerian/identity-editor-role

This assigns the user with ID user123 to the identity-editor-role role.

Data Storage and Caching

The plugin optimizes performance and security by leveraging a structured storage system and caching mechanisms:

Policy Management: Stores access control policies for users and services.
Token Introspection Cache: Caches token validation results to reduce redundant checks.
Permission Cache: Stores authorization decisions to improve response time.
User Policies Cache: Maintains a map of resources and actions for efficient access control.

Testing & Reliability

The plugin undergoes continuous testing to maintain reliability and security. Tests cover:

Authentication and token validation flows
Access control enforcement
Performance and caching efficiency

Security assessments and monitoring ensure compliance with best practices and evolving security standards.