Auth web flow design discussion

[rosarp-gobazzinga]

---
title: Auth flow with IndexDB
---
sequenceDiagram
    actor client as Client Device
    participant ssr as SSR Backend

    client->>ssr: Requests page first time
    destroy ssr
    ssr-->>client: Home page loaded
    create participant auth as Auth Service
    client->>auth: Makes a REST <br/> call /generate_session
    Note over auth: Creates Private KeyPair <br/> & Delegated Session KeyPair <br/> for a user <br/> using random seed
    Note over auth: Delegated Session is <br/> valid for 30 minutes

    create participant kv as Key Value Store
    auth->>kv: Store User's private KeyPair
    auth-->>client: Sends delegated session

    Note over client: Client stores delegated <br/> session in IndexedDB

    %%{'----- OAuth2 Login Flow -----'}%%
    Note over client: When client clicks on login
    client->>auth: Redirects to <br/> /<pubkey>
    Note over auth: Validates pubkey <br/> existance, if not <br/> returns with error
    auth-->>client: Shows login <br/> options page

    Note over client: Client clicks on <br/> google login page
    create participant google as Google OAuth2
    client->>google: Redirects to google URL
    Note over google: User logs-in
    google-->>auth: Redirects back <br/> with auth_code <br/> to /verify_oauth2
    Note over auth: Verifies auth_code <br/> & retrieves google_id
    auth--)kv: Associates pubkey to google_id
    auth-->>client: Redirects <br/> with /refresh_token_handler<br/>/encrypted(ULID) in url

    client->>auth: FETCH call /new_session<br/>/encrypted(ULID)
    Note over auth: Verifies ULID expiry
    Note over auth: Creates new delegated session
    auth-->>client: Returns delegated session
    Note over client: Updates delegated session in IndexDb 

[rosarp-gobazzinga]

Auth flow with IndexDB:

Pros of using above workflow:

• No cookies, nor 3rd party cookies
• No communication through ssr

Cons of using above workflow:

• SSR will not have delegated session unless client passes it
• No inherent security of MITM
• Anyone with access to pubkey can move ahead with attaching google account

@saikatdas0790 @rupansh-gob

[rosarp-gobazzinga]

---
title: Auth flow with cookies
---
sequenceDiagram
    autonumber
    actor client as Client Device
    participant ssr as SSR Backend

    client->>ssr: Requests page first time
    ssr-->>client: Home page loaded
    client->>ssr: Requests delegated <br/> session
    create participant auth as Auth Service
    ssr->>auth: Makes a REST <br/> call /anonymous_identity
    Note over auth: Creates Private KeyPair <br/> & Delegated Session KeyPair <br/> for a user <br/> using random seed
    Note over auth: Delegated Session is <br/> valid for 30 minutes

    create participant kv as Key Value Store
    auth--)kv: Store User's <br/> private & <br/> session KeyPair
    auth-->>ssr: Sends delegated session <br/> & (signature + pubkey) as pubkey <br/> & (signature + expiration) as expiration
    Note over ssr: Cookie is set <br/> for SSR domain
    ssr-->>client: Sends delegated session <br/> & sets pubkey <br/> & expiration <br/> in cookie

    %%{'----- OAuth2 Login Flow -----'}%%
    Note over client: When client clicks on login
    client->>ssr: Requests for <br/> refresh token
    ssr->>auth: Sends pubkey & <br/> expiration (with signature) <br/> in REST payload <br/> to /refresh_token
    Note over auth: Validates signatures of payload, <br/> Generates ULID, <br/> & associates pubkey
    auth--)kv: Stores <ULID, pubkey> in kv
    auth-->>ssr: Returns <br/> signature + ULID
    ssr->>auth: Redirects to <br/> /<signature + ULID>
    Note over auth: Validates signature
    auth--)kv: Retrieves pubkey using ULID
    Note over auth: Cookie is set <br/> for Auth domain
    Note over auth: Sets temp cookie <br/> on auth with <br/> signature + pubkey
    auth-->>client: Shows login options page

    Note over client: Client clicks <br/> on google <br/> login page
    client--)auth: Sends request <br/> to /google/login/url <br/> Validates signature + pubkey <br/> Returns google URL
    create participant google as Google OAuth2
    client->>google: Redirects to google URL
    Note over google: User logs-in
    google-->>auth: Redirects back <br/> with auth_code <br/> to /verify_oauth2
    Note over auth: Verifies auth_code <br/> & retrieves google_id
    destroy kv
    auth--)kv: Associates pubkey to google_id
    auth-->>ssr: Redirects to /oauth2_response_handler <br/>/<encrypted(google_id)>
    ssr--)auth: REST call to <br/> /generate_session <br/>/<encrypted(google_id)> <br/> Returns delegated session
    Note over auth: Verifies & retrieves pubkey <br/> generates delegated session
    ssr-->>client: Receives delegated session

[rosarp-gobazzinga]

Auth flow with IndexDB:

Pros of using above workflow:

• Secure since cookies are used
• Simple flow with redirects, no popups
• ULID is short lived to make refresh tokesn secure

Cons of using above workflow:

• Some calls need to be made to auth through SSR
• Refresh token is temporarily saved in KV

@saikatdas0790 @rupansh-gob

[rosarp-gobazzinga]

---
title: Auth flow with cookies & Sycn Popup/tab
---
sequenceDiagram
    autonumber
    actor client as Client Device
    participant ssr as SSR Backend
    participant auth as Auth Service
    participant kv as Key Value Store

    client->>ssr: Requests page first time
    ssr-->>client: Home page loaded
    client->>ssr: Requests delegated <br/> session
    alt If cookie found
        ssr->>auth: Makes a REST <br/> call /renew_identity <br/> with cookie contents <br/> in POST payload
        alt if valid payload
            auth--)kv: Fetch KeyPair from pubkey
            Note over auth: Re-Generate Delegated <br/> session for this pubkey
        else if invalid payload
            Note over auth: GoTo /anonymous_identity
        end
    else if cookie not found [anonymous_identity]
        ssr->>auth: Makes a REST <br/> call /anonymous_identity
        Note over auth: Creates Private KeyPair <br/> & Delegated Session KeyPair <br/> for a user <br/> using random seed
        Note over auth: Delegated Session is <br/> valid for 30 minutes
    end

    auth--)kv: Store User's <br/> private & <br/> session KeyPair
    auth-->>ssr: Sends delegated session <br/> & (signature + pubkey) as pubkey <br/> & (signature + expiration) as expiration
    Note over ssr: Cookie is set <br/> for SSR domain
    ssr-->>client: Sends delegated session <br/> & sets pubkey <br/> & expiration <br/> in cookie

    %%{'----- OAuth2 Login Flow -----'}%%
    Note over client: When client clicks on login
    client--)ssr: GET auth URL [auth]/<cookie_serialized>
    client->>auth: Opens popup with /<cookie_serialized>
    Note over auth: Validates signature <br/> & sets Auth domain cookie
    auth-->>client: Shows login options page

    Note over client: Client clicks <br/> on google <br/> login page
    client--)auth: Sends request <br/> to /login/url/google <br/> Validates signature + pubkey <br/> Returns google URL
    create participant google as Google OAuth2
    client->>google: Redirects to google URL
    Note over google: User logs-in
    destroy google
    google-->>auth: Redirects back <br/> with auth_code <br/> to /verify_oauth2
    Note over auth: Verifies auth_code <br/> & retrieves google_id
    destroy kv
    auth--)kv: Associates pubkey to google_id
    Note over auth: Generates delegated session
    auth-->>client: Sends PostMessage <br/> to opener window (ssr) <br/> with delegated session
    auth-->>auth: Closes the popup