Public container must not contain any auth-protected endpoints. They must be placed in the private container.
All endpoints contained in the public container are also included in the private container (with the same authorization).
All endpoints have been sorted into broad API categories and had a respective prefix added to their URL path (e.g. Seacat account management endpoints have been prefixed with /account).
Dots and underscores in path names have been replaced with a dash - (e.g. /public/login-prologue instead of /public/login.prologue).
:rotating_light: This seriously breaks Auth UI and Admin UI functionality without backward compatibility. :rotating_light:
:exclamation: This MR will likely be split into smaller MRs. :exclamation:
Sync merge with
Summary
/account
).-
(e.g./public/login-prologue
instead of/public/login.prologue
).Complete table of endpoint path changes
seacat-auth-endpoints-rev-2024-02.ods
APIs
Public web container (default port 3081)
/.well-known/
- standard well-known locations (OIDC)/openidconnect/
- OAuth 2.0 and OIDC API/public/
- core authentication API (login, logout, registration, lost password, cookie entry...)Private web container (default port 8900)
/account/
- Seacat Account API (change password, change email, configure login options...)/admin/
- Seacat Admin API (manage tenants, roles, credentials...)seacat:access
authorization required/nginx/
- internal nginx utilities (introspection)/asab/
- ASAB API/doc
,/oauth2-redirect.html
and/asab/v1/openapi
- Swagger docs and OpenAPI/.well-known/
,/openidconnect/
and/public/
as in the public containerTODO
GET /tenant
endpoint anymore/account/{tenant}/invite
?