AuthServeris a service that handles creating, verifying and refreshing authorization tokens. You create an
AuthServerin your application channel and inject into types that deal with authorization. This types include:
Authorizer: middleware controller that protects endpoint controllers from unauthorized access
AuthController: endpoint controller that grants access tokens
AuthCodeController: endpoint controller that grants authorization codes to be exchanged for access tokens
AuthServermust persist the data it uses and creates - like client identifiers and access tokens. Storage is often performed by a database, but it can be in memory, a cache or some other medium. Because of the many different storage mediums, an
AuthServerdoesn't perform any storage itself - it relies on an instance of
AuthServerDelegatespecific to your application. This allows storage to be independent of verification logic.
AuthServerDelegateis an interface that an
AuthServeruses to handle storage of client identifiers, tokens and other authorization artifacts. An
AuthServermust be created with a concrete implementation of
AuthServerDelegate. Conduit contains a concrete implementation of
AuthServerDelegatethat uses the ORM. It is highly recommended to use this implementation instead of implementing your own storage because it has been thoroughly tested and handles cleaning up expired data correctly.
ManagedAuthDelegate<T>. It exists in a sub-package of Conduit and must be explicitly imported. Here's an example of creating an
ManagedAuthDelegatehas a type argument - this will be covered in the next section.)
AuthServerhas methods for handling authorization tasks, it is rarely used directly. Instead,
AuthControllerare hooked up to routes to grant authorization tokens through your application's HTTP API. Instances of
Authorizersecure routes in channels. All of these types invoke the appropriate methods on the
AuthServer. Here's an example
ApplicationChannelsubclass that sets up and uses authorization:
ManagedAuthDelegate<T>is a concrete implementation of
AuthServerDelegate, providing storage of authorization tokens and clients for an
AuthServer. Storage is accomplished by Conduit's ORM.
ManagedAuthDelegate<T>, by default, is not part of the standard
conduitlibrary. To use this class, an application must import
ManagedAuthDelegate<T>represents the application's concept of a 'user' or 'account' - OAuth 2.0 terminology would refer to this type as a resource owner. A resource owner must be a
ManagedObject<T>subclass that is specific to your application. Its table definition must extend
ResourceOwnerTableDefinitionand the instance type must implement
Tis the table definition. A basic definition may look like this:
ResourceOwnerTableDefinitionin the table definition, the database table has the following four columns:
ResourceOwnerTableDefinitionalso has a
tokensfor each token that has been granted on its behalf.
ManagedAuthResourceOwner<T>is a requirement that ensures the type argument is both a
ResourceOwnerTableDefinition, and serves no other purpose than to restrict
ManagedAuthDelegate<T>'s type parameter.
managed_authlibrary also declares two
ManagedAuthTokenrepresents instances of authorization tokens and codes, and
ManagedAuthClientrepresents instances of OAuth 2.0 clients. This means that a Conduit application that uses
ManagedAuthDelegate<T>has a minimum of three database tables: users, tokens and clients.
ManagedAuthDelegate<T>will delete authorization tokens and codes when they are no longer in use. This is determined by how many tokens a resource owner has and the tokens expiration dates. Once a resource owner acquires more than 40 tokens/codes, the oldest tokens/codes (determined by expiration date) are deleted. Effectively, the resource owner is limited to 40 tokens. This number can be changed when instantiating
ManagedAuthDelegate<T>requires database tables for its users, tokens and clients. Use the database command-line tool on your project to generate migration scripts and execute them against a database. This tool will see the declarations for your user type,
ManagedAuthClientand create the appropriate tables.