# 认证服务

```mermaid
flowchart TB
  U[User / Client] -->|login| GW[API Gateway]
  GW -->|auth request| IAM[IAM Auth Service]
  IAM -->|issue tokens| GW
  GW -->|return tokens| U

  U -->|API request with access token| GW
  GW -->|forward request| T[Todo Service]

  subgraph IAM_Core[IAM Core]
    IAM --> KMS[Key Store]
    IAM --> JWKS[JWKS Endpoint]
    IAM --> RT[Refresh Token Store]
    IAM --> IDP[User Org Role Store]
  end

  T -->|fetch public keys| JWKS
  T -->|verify JWT locally| T
  T -->|resource authorization| DB[Todo Database]

  T -->|optional version or revoke check| R[Redis Cache]
  IAM -->|update version or revoke| R

  T -->|emit events| MQ[Kafka]
  MQ --> N[Notification Service]
  MQ --> S[Search Service]
```

```mermaid
sequenceDiagram
  autonumber
  participant C as Client
  participant GW as API Gateway
  participant IAM as IAM/Auth
  participant JWKS as JWKS Endpoint
  participant T as Task Service
  participant DB as Postgres
  participant R as Redis(ver/jti)

  %% Login
  C->>GW: POST /auth/login (username/password)
  GW->>IAM: forward /auth/login
  IAM->>IAM: validate credentials
  IAM->>IAM: issue access_token(JWT) + refresh_token
  IAM->>GW: 200 tokens
  GW->>C: 200 tokens (store refresh safely)

  %% Normal API call (local verify)
  C->>GW: GET /tasks (Authorization: Bearer access)
  GW->>T: forward request (+ traceId)

  alt JWKS cache miss
    T->>JWKS: GET /.well-known/jwks.json
    JWKS-->>T: public keys
  end

  T->>T: verify JWT signature + iss/aud/exp
  opt fast invalidation check (recommended)
    T->>R: GET auth_ver:{sub} or revoked_jti:{jti}
    R-->>T: ok / mismatch
  end
  T->>DB: query tasks WHERE tenant_id=tid AND (owner=sub OR permission)
  DB-->>T: tasks
  T-->>GW: 200 tasks
  GW-->>C: 200 tasks

  %% Access expired -> refresh
  C->>GW: GET /tasks (access expired)
  GW-->>C: 401 token_expired
  C->>GW: POST /auth/refresh (refresh_token)
  GW->>IAM: forward refresh
  IAM->>IAM: validate refresh token (rotation/reuse detection)
  IAM->>IAM: issue new access + new refresh
  IAM-->>GW: 200 new tokens
  GW-->>C: 200 new tokens
  C->>GW: retry GET /tasks (new access)
  GW->>T: forward
  T->>T: verify JWT ...
  T->>DB: query ...
  DB-->>T: tasks
  T-->>GW: 200
  GW-->>C: 200

  %% Role change / revoke (how to take effect)
  Note over IAM,R: Admin changes role OR user logs out\nIAM increments auth_ver or revokes jti
  IAM->>R: SET auth_ver:{sub}=newVersion OR SET revoked_jti:{jti}=1

  %% After role change
  C->>GW: POST /tasks (Authorization: Bearer old access)
  GW->>T: forward
  T->>T: verify JWT ok (signature still valid)
  T->>R: GET auth_ver:{sub} / revoked_jti:{jti}
  R-->>T: mismatch / revoked
  T-->>GW: 401/403 (reauth required)
  GW-->>C: 401/403
```