ModelOp follows the next security architecture:
...
Technical implementation details:
There are 2 main Main points of entry:
OAuth2Login
ResourceServer
The image from above represents the Gateway architecture specifically for JWT.
The Resource server will be using JWT and local validations through JOSE to validate the token.
...
For the ResourceServer implementation, the architecture supports JWT and Opaque independently.
Jwt:
Token local validations performed by JWKs.
Opaque:
Token validations performed by introspection; through an token introspection resolver ( in case more than one token introspection defined ).
...
To define a MicroService as Resource Server (RS):
Identify the type of tokens to be supported
Define profiles accordingly
Add required YAML configurations.
...
Opaque Query Param RS uses an introspection endpoint to validate the token.
| Code Block | breakoutMode | wide
|---|
oauth2: # Values for Resource Servers. resource-server: ##Base RS conf base-conf: user-info-uri: https://authorization.server/idp/userinfo.openid # Traditional approaches will require only introspection-uri, this approach uses NimbusOpaqueTokenIntrospector opaque: client-id: model-manage-client client-secret: client-secret introspection-uri: https://internal.pf.modelop.center/as/introspect.oauth2 # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time... opaque-queryparam: queryparam: otoken introspection-uri: https://authorization.server/rs/validate/AppIdClaim |
...
JWT detailed architecture overview
Opaque detailed architecture overview
...
Multiple Authorization Servers architecture
...
...
Jwt & Opaque token interactions with Security Conext Holder
