The authorization service is an external service and it provides authorization for all components of the blockchain network. Service is built on the basis of `OAuth 2.0 <https://en.wikipedia.org/wiki/OAuth> `_ authorization protocol. OAuth 2.0 is the open framework for realization of the authorization mechanism, allowing to give to the third part the limited access to the protected resources without credentials transfer to the third part. The data flow scheme between participants of information interaction on the OAuth 2.0 basis is presented below.
JSON Web Token is the authorization unit. Tokens are used to authorize each request from the client to the server and have a limited lifetime. The client receives two types of token - access and refresh. Access token is used to authorize requests for access to protected resources and to store additional information about the user. The refresh token is used to get a new access token and to refresh the refresh token.
In general, the authorization scheme includes the following operations:
The client (it could be any blockchain network component like the web client, data service or an external application) once provides its authentication data to the authorization service.
If the initial authentication procedure is successful, the authorization service stores the client’s authentication data in the database, generates and sends signed access and refresh tokens to the client. Tokens include the lifetime info and basic customer data, such as an ID and a role. Client authentication data are stored in the authorization service configuration file. The client checks the lifetime of the access token each time before sending a request to a third-party service. In case of expiration of the token, the client refers to the authorization service to obtain a new access token. The refresh token is used for requests to the authorization service.
The client sends a request of receiving data from a third-party service using the current access token.
The external application checks the lifetime of the access token, its integrity, and compares the previously obtained public key of the authorization service with the key contained in the signature of the access token. In case of successful verification, this service provides the requested data to the client.