99 lines
2.7 KiB
Markdown
99 lines
2.7 KiB
Markdown
# 认证服务
|
|
|
|
```mermaid
|
|
flowchart TB
|
|
U[User / Client] -->|login| GW[API Gateway]
|
|
GW -->|auth request| IAM[IAM Auth Service]
|
|
IAM -->|issue tokens| GW
|
|
GW -->|return tokens| U
|
|
|
|
U -->|API request with access token| GW
|
|
GW -->|forward request| T[Todo Service]
|
|
|
|
subgraph IAM_Core[IAM Core]
|
|
IAM --> KMS[Key Store]
|
|
IAM --> JWKS[JWKS Endpoint]
|
|
IAM --> RT[Refresh Token Store]
|
|
IAM --> IDP[User Org Role Store]
|
|
end
|
|
|
|
T -->|fetch public keys| JWKS
|
|
T -->|verify JWT locally| T
|
|
T -->|resource authorization| DB[Todo Database]
|
|
|
|
T -->|optional version or revoke check| R[Redis Cache]
|
|
IAM -->|update version or revoke| R
|
|
|
|
T -->|emit events| MQ[Kafka]
|
|
MQ --> N[Notification Service]
|
|
MQ --> S[Search Service]
|
|
```
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
autonumber
|
|
participant C as Client
|
|
participant GW as API Gateway
|
|
participant IAM as IAM/Auth
|
|
participant JWKS as JWKS Endpoint
|
|
participant T as Task Service
|
|
participant DB as Postgres
|
|
participant R as Redis(ver/jti)
|
|
|
|
%% Login
|
|
C->>GW: POST /auth/login (username/password)
|
|
GW->>IAM: forward /auth/login
|
|
IAM->>IAM: validate credentials
|
|
IAM->>IAM: issue access_token(JWT) + refresh_token
|
|
IAM->>GW: 200 tokens
|
|
GW->>C: 200 tokens (store refresh safely)
|
|
|
|
%% Normal API call (local verify)
|
|
C->>GW: GET /tasks (Authorization: Bearer access)
|
|
GW->>T: forward request (+ traceId)
|
|
|
|
alt JWKS cache miss
|
|
T->>JWKS: GET /.well-known/jwks.json
|
|
JWKS-->>T: public keys
|
|
end
|
|
|
|
T->>T: verify JWT signature + iss/aud/exp
|
|
opt fast invalidation check (recommended)
|
|
T->>R: GET auth_ver:{sub} or revoked_jti:{jti}
|
|
R-->>T: ok / mismatch
|
|
end
|
|
T->>DB: query tasks WHERE tenant_id=tid AND (owner=sub OR permission)
|
|
DB-->>T: tasks
|
|
T-->>GW: 200 tasks
|
|
GW-->>C: 200 tasks
|
|
|
|
%% Access expired -> refresh
|
|
C->>GW: GET /tasks (access expired)
|
|
GW-->>C: 401 token_expired
|
|
C->>GW: POST /auth/refresh (refresh_token)
|
|
GW->>IAM: forward refresh
|
|
IAM->>IAM: validate refresh token (rotation/reuse detection)
|
|
IAM->>IAM: issue new access + new refresh
|
|
IAM-->>GW: 200 new tokens
|
|
GW-->>C: 200 new tokens
|
|
C->>GW: retry GET /tasks (new access)
|
|
GW->>T: forward
|
|
T->>T: verify JWT ...
|
|
T->>DB: query ...
|
|
DB-->>T: tasks
|
|
T-->>GW: 200
|
|
GW-->>C: 200
|
|
|
|
%% Role change / revoke (how to take effect)
|
|
Note over IAM,R: Admin changes role OR user logs out\nIAM increments auth_ver or revokes jti
|
|
IAM->>R: SET auth_ver:{sub}=newVersion OR SET revoked_jti:{jti}=1
|
|
|
|
%% After role change
|
|
C->>GW: POST /tasks (Authorization: Bearer old access)
|
|
GW->>T: forward
|
|
T->>T: verify JWT ok (signature still valid)
|
|
T->>R: GET auth_ver:{sub} / revoked_jti:{jti}
|
|
R-->>T: mismatch / revoked
|
|
T-->>GW: 401/403 (reauth required)
|
|
GW-->>C: 401/403
|
|
``` |