Как устроена платформа
Authorization and data services¶
The Waves Enterprise blockchain platform includes two external services:
Authorization service, which provides authorization of all network components;
Data service, which gathers blockchain data into a database and provides API for access to the gathered data.
This service provides authorization of all blockchain network components on the basis of the oAuth 2.0 protocol. oAuth 2.0 is the open authorization framework which allows to grant a restricted access to protected resources of a user to a third party without disclosing of logins and password.
The general chart of the oAuth 2.0 authorization:
The object of the oAuth authorization is the JSON Web Token (JWT). Tokens are used for authorization of every query from a client to a server and have a limited lifetime. A client receives two tokens - access and refresh. An access token is used for authorization of queries for access to protected resources and storage of additional information about a user. A refresh token is used for receiving of a new access token and updating of a refresh token.
The authorization scheme of the Waves Enterprise blockchain platform:
The general authorization procedure is carried out as follows:
A client (blockchain network component: a corporate client, data exchange service or a third-party application) provides its authentication data once to the authorization service;
In case of a successful primary authentication, the authorization service saves the authentication data of the client in the data storage, generates the signed access and refresh tokens and sends them to the client. The tokens contain their lifetime and basic data of the client: its identifier and role. Authentication data of clients are stored in the authorization service configuration file. Each time before sending a query to a third-party service, a client checks an access token lifetime. In case of token expiry, a client refers to the authorization service for obtaining of a new access token. For this queries to the authorization service, a client uses a refresh token.
With an actual access token, a client sends a query for obtaining of a third-party service data;
A third-party service checks an access token lifetime, its integrity and compares an authorization service public key, received in advance, with a key, which is stored in an access token signature. In case of a successfull check, a third party service provides required data to a client.
Description of authorization methods is provided in the article Authorization service: authorization variants.
The data service is used for gathering of blockchain data into a database. This service has its own API for access to the gathered data.
In the Waves Enterprise Mainnet, the data service operates in the autonomous mode, access to its API is restricted. For deployment in a private network, the data service is configured by the Waves Enterprise specialists, depending on peculiarities of a project. You can also change data service parameters by yourself with the use of environment variables that are described in the article Data service: manual configuration.