Client auth · pluggable
Client auth yagona IdentityResolver porti orqali. Drayver har source_service uchun alohida
tanlanadi — bir loyiha jwt, boshqasi ticket ishlatishi mumkin. Servis hech qaysi usulga qattiq
bog’lanmaydi. JWT — faqat bitta usul, yagona emas.
IdentityResolver.Resolve(credential) → Principal{ source_service, external_user_id, email?, phone?, ... }01 · jwt — lokal verify (stateless)
heading.anchorLabelClient o’z consumer JWT’sini beradi; biz imzoni lokal verify qilamiz (per-issuer kalit yoki
JWKS) va user_id claim’ini olamiz.
Qachon: consumer JWT beradi va kalit/JWKS bera oladi. Tarmoqsiz, tez.
02 · introspection — consumer verify API
heading.anchorLabelClient opaque token beradi; biz uni consumer’ning introspection_urliga yuboramiz; consumer
bizning kanonik formatda userni qaytaradi. Keyin upsert.
Qachon: opaque token, yoki consumer imzo kalitini bermaydi (RFC 7662 uslubi).
03 · ticket — biz beradigan socket chiptasi
heading.anchorLabelConsumer backend (servis-servis auth bilan) bizdan qisqa muddatli, single-use socket ticket
so’raydi; client o’sha ticket bilan ulanadi (wss://…/realtime?ticket=…). Biz IdP emasmiz —
parol emas, sessiya chiptasi.
Qachon: brauzerga consumer JWT’sini oshkor qilmaslik kerak; biz socket sessiyasini nazorat qilamiz.