Skip to content
Snippets Groups Projects
architecture.rst 4.17 KiB

Architecture

The single sign on system consists of a few components:

  1. The Oauth2 and OpenID Connect (OIDC) provider, Hydra
  2. The Identity provider, Kratos
  3. The Login application which serves as a login panel, consent application and a settings screen for the Hydra settings (mostly used for password reset).

Overview

The single sign on application as a whole stores your users and helps them authenticate to applications. Its users are stored inside Kratos's database. Kratos also serves an API that helps us generate interfaces for many user-related tasks, such as:

  1. Setting your name and username
  2. The whole password reset flow
  3. The login form
  4. 2FA (not implemented in the login application yet)

The Login application is mostly a front-end that uses the Kratos API to generate the views for logging in, resetting the password and setting some user data.

Flows

Logging in

The Kratos login flow is documented in the Kratos documentation. Our implementation is only slightly different from what you see there:

User creation

We have not implemented Kratos's Registration flow, because users cannot self-register with a Stackspin cluster. An administrator always needs to make new users using the Dashboard application. When a user is created, an email address always needs to be provided.

Once a user has been created, they can start the Account Recovery and Password Reset flow in order to set or reset their password. We use the "Recovery link Method".

User settings

Although users can change their settings through the Dashboard application, the login application also has a version of the user-settings Kratos flow.