neeto Architecture

neetoAuth Internals

Essentially, neetoAuth is an OAuth provider for all the neeto applications. It provides a single stop authentication solution for all the neeto applications by using the OAuth 2.0 protocol.

From the authentication perspective, neetoAuth is the main authentication application. Internally, neetoAuth uses devise, omniauth-oauth2 and doorkeeper gems to implement OAuth 2.0 authentication and Single Sign on for its neeto applications. Devise allows us to define custom oauth authentication strategy for omniauth based authentication. And neetoAuth uses the doorkeeper gem to provide a custom OAuth2.0 authentication strategy to devise (Specifics about custom authentication strategy is written below).

From the neeto application's perspective, neetoAuth's database is the source of truth for the Organization and User tables. And all applications infer Organization data, User data, API keys and other necessary data. The Organization and Users are created in each neeto application when a new organization has been created and are updated whenever any field in a row has been updated. The neeto application interfaces with neetoAuth in the following ways:

  1. Login Flow
  2. Sign up Flow
  3. Creating organizations and updating information for a particular organization when data has been updated
  4. Creating users and updating users whenever a user's profile has been updated
  5. Fetching information about what roles are available in each neeto application
  6. Credentials verification API for mobile
  7. Fetching information about other neeto applications
  8. Restricting access to a user who has not been given access for an app or the organization itself
  9. Disabling the organization, so that the public cannot access the application
  10. Single Sign out ( or Logout) - Which logs out the user from all the neeto application

neeto_sso gem

The neeto_sso gem is an adapter which is present in all the neeto applications so that the neeto application and neetoAuth can communicate with each other for SSO (Single Sign On), data fetching, and data synchronization.

How does OAuth 2.0 Authentication with Doorkeeper work?

Single Sign On Flow for Web

Note: If the sequence diagram is not visible in the Github README.md, the README.md with sequence diagram can viewed in VS Code with Markdown Preview Enhanced extension. Or the file can be viewed in stackedit

The following sequence diagram shows how the login strategy is handled using the OAuth2.0 protocol and Doorkeeper gem.

Browserneeto ApplicationneetoAuthneeto Application 2Access neeto Appredirect to /users/auth/doorkeeper to authenticate user using doorkeeperneeto application redirects to neetoAuth /oauth/authorize to check if user is logged inRedirect to /login for loginRedirect to /oauth/authorize with authenticated params which is used to createAfter logging in neetoAuth, the user is redirected back to the neeto applicationexchange access token with code, POST /oauth/tokengenerate access token and refresh token for user sessionresponse access tokenwrite access token to browser cookieAccess another neeto application after authenticating with neetoAuthredirect to /users/auth/doorkeeperDoorkeeper redirects to neetoAuth GET /oauth/authorizeRedirects user back to neeto Application 2, since user is already logged in.exchange access token with code, POST /oauth/tokenresponse access tokenwrite access token to browser cookieBrowserneeto ApplicationneetoAuthneeto Application 2Login Flow for Web

Login Flow for Mobile Apps

Mobile Appneeto Application ServerneetoAuthSend login credentialsforwards credentials to neetoAuth serverResponds with :unauthorized if credentials were invalidResponds with :success response if credentials are validResponds with success response with email, token, and user_id if credentials are validResponds with :success responseResponds with success response with email, token, and user_id if credentials are validSets email and token in headers of outgoing requests to neeto Application ServerRequest with x-auth-token and x-auth-emailMobile Appneeto Application ServerneetoAuthLogin Flow for Mobile

Single Logout Flow

WIP.

How does neeto_sso integrates with each neeto application and neetoAuth?

neetoApp
neetoAuth
Updates
Queues updates
Sends Updates
Requests information
Provides information
Sends Updates
Performs Update
neeto_sso
Database
server
Database
sidekiq worker