Authentication & Authorization
Light-Portal is a single-page application (SPA) that utilizes both the OAuth 2.0 Authorization Code and Client Credentials flows.
The following pattern illustrates the end-to-end process recommended by the Light Platform for an SPA interacting with downstream APIs.
Sequence Diagram
sequenceDiagram
participant PortalView as Portal View
participant LoginView as Login View
participant Gateway as Light Gateway
participant OAuthKafka as OAuth-Kafka
participant AuthService as Auth Service
participant ProxySidecar as Proxy Sidecar
participant BackendAPI as Backend API
PortalView ->> LoginView: 1. Signin redirect
LoginView ->> OAuthKafka: 2. Authenticate user
OAuthKafka ->> AuthService: 3. Authenticate User<br/>(Active Directory<br/>for Employees)<br/>(CIF System<br/>for Customers)
AuthService ->> OAuthKafka: 4. Authenticated
OAuthKafka ->> OAuthKafka: 5. Generate auth code
OAuthKafka ->> PortalView: 6. Redirect with code
PortalView ->> Gateway: 7. Authorization URL<br/>with code param
Gateway ->> OAuthKafka: 8. Create JWT access<br/>token with code
OAuthKafka ->> OAuthKafka: 9. Generate JWT<br/>access token<br/>with user claims
OAuthKafka ->> Gateway: 10. Token returns<br/>to Gateway
Gateway ->> PortalView: 11. Token returns<br/>to Portal View<br/>in Secure Cookie
PortalView ->> Gateway: 12. Call Backend API
Gateway ->> Gateway: 13. Verify the token
Gateway ->> OAuthKafka: 14. Create Client<br/>Credentials token
OAuthKafka ->> OAuthKafka: 15. Generate Token<br/>with Scopes
OAuthKafka ->> Gateway: 16. Return the<br/>scope token
Gateway ->> Gateway: 17. Add scope<br/>token to<br/>X-Scope-Token<br/>Header
Gateway ->> ProxySidecar: 18. Invoke API
ProxySidecar ->> ProxySidecar: 19. Verify<br/>Authorization<br/>token
ProxySidecar ->> ProxySidecar: 20. Verify<br/>X-Scope-Token
ProxySidecar ->> ProxySidecar: 21. Fine-Grained<br/>Authorization
ProxySidecar ->> BackendAPI: 22. Invoke<br/>business API
BackendAPI ->> ProxySidecar: 23. Business API<br/>response
ProxySidecar ->> ProxySidecar: 24. Fine-Grained<br/>response filter
ProxySidecar ->> Gateway: 25. Return response
Gateway ->> PortalView: 26. Return response
-
When a user visits the website to access the single-page application (SPA), the Light Gateway serves the SPA to the user's browser. Each single page application will have a dedicated Light Gateway instance acts as a BFF. By default, the user is not logged in and can only access limited site features. To unlock additional features, the user can click the
Userbutton in the header and select theSign Inmenu. This action redirects the browser from the Portal View to the Login View, both served by the same Light Gateway instance. -
On the Login View page, the user can either input a username and password or choose Google/Facebook for authentication. When the login form is submitted, the request is sent to the Light Gateway with the user's credentials. The Gateway forwards this request to the OAuth Kafka service.
-
OAuth Kafka supports multiple authenticator implementations to verify user credentials. Examples include authenticating via the Light Portal user database, Active Directory for employees, or CIF service for customers.
-
Once authentication is successfully completed, the OAuth Kafka responds with the authentication result.
-
Upon successful authentication, OAuth Kafka generates an authorization code (a UUID associated with the user's profile).
-
OAuth Kafka redirects the authorization code back to the browser at the Portal View via the Gateway.
-
Since the Portal View SPA lacks a dedicated redirect route for the authorization code, the browser sends the code as a query parameter in a request to the Gateway.
-
The
StatelessAuthHandlerin the Gateway processes this request, initiating a token request to OAuth Kafka to obtain a JWT access token. -
OAuth Kafka generates an access token containing user claims in its custom JWT claims. The authorization code is then invalidated, as it is single-use.
-
The access token is returned to the Gateway.
-
The
StatelessAuthHandlerin the Gateway stores the access token in a secure cookie and sends it back to the Portal View. -
When the Portal View SPA makes requests to backend APIs, it includes the secure cookie in the API request sent to the Gateway.
-
The
StatelessAuthHandlerin the Gateway validates the token in the secure cookie and places it in theAuthorizationheader of the outgoing request. -
If the token is successfully validated, the
TokenHandlerin the Gateway makes a request to OAuth Kafka for a client credentials token, using the path prefix of the API endpoint. -
OAuth Kafka generates a client credentials token with the appropriate scope for accessing the downstream service.
-
The client credentials token is returned to the Gateway.
-
The
TokenHandlerin the Gateway inserts this token into theX-Scope-Tokenheader of the original request. -
The Gateway routes the original request, now containing both tokens, to the downstream
proxy sidecarof the backend API. -
The proxy sidecar validates the
Authorizationtoken, verifying its signature, expiration, and other attributes. -
The proxy sidecar also validates the
X-Scope-Token, ensuring its signature, expiration, and scope are correct. -
Once both tokens are successfully validated, the proxy sidecar enforces fine-grained authorization rules based on the user's custom security profile contained in the
Authorizationtoken. -
If the fine-grained authorization checks are passed, the proxy sidecar forwards the request to the backend API.
-
The backend API processes the request and sends the full response back to the
proxy sidecar. -
The proxy sidecar applies fine-grained filters to the response, reducing the number of rows and/or columns based on the user's security profile or other policies.
-
The proxy sidecar returns the filtered response to the Gateway.
-
The Gateway forwards the response to the Portal View, allowing the SPA to render the page.