- identity system manages all user authentication and authorization.
Standard identity
- implemented from scratch and allows GloFlow to have classic username/password user system without dependence on any external system (blockchain, auth0, or other).
- user/password based
- supported One-time passwords (OTP) based authentication using Authenticator Apps
- time-based secret information that expires after a set small period of tiem (60s, etc.)
Web3 identity
- users prove ownership of public-keys/addresses via signing of data strings and verification server-side of those.
- implemented for Ethereum chain
- add Tezos support?
Auth0 idenity
- integration with an external identity provider - Auth0
- provides powerful features, and is for users that dont want to manage their user database via GF, or have more advanced identity management requirements.
Oauth2.0 Bearer Token:
- predominant type of access token used with OAuth 2.0
- acquired by GF from Auth0 after the login callback handler exchanges the received
codefor this bearer token. - opaque string, not intended to have any meaning to clients using it
ID tokens:
- are JSON web tokens (JWTs).
- used to cache user profile information and provide it to a client application.
- application receives an ID token after a user successfully authenticates, then consumes the ID token and extracts user information from it, which it can then use to personalize the user’s experience.
- is valid for 36000 seconds (10 hours)
- signatures are generated by using private/public key-pairs.
- private key is managed by Auth0 and is unique per Tenant (rotated once a year).
- GF verifies the JWT signature using public keys
- decoded JWT token payload data has the following shape:
- auth0 docs: