skipLink.label

Client auth · pluggable

Client auth yagona IdentityResolver porti orqali. Drayver har source_service uchun alohida tanlanadi — bir loyiha jwt, boshqasi ticket ishlatishi mumkin. Servis hech qaysi usulga qattiq bog’lanmaydi. JWT — faqat bitta usul, yagona emas.

IdentityResolver.Resolve(credential) → Principal{ source_service, external_user_id, email?, phone?, ... }

01 · jwt — lokal verify (stateless)

heading.anchorLabel

Client o’z consumer JWT’sini beradi; biz imzoni lokal verify qilamiz (per-issuer kalit yoki JWKS) va user_id claim’ini olamiz.

Qachon: consumer JWT beradi va kalit/JWKS bera oladi. Tarmoqsiz, tez.

02 · introspection — consumer verify API

heading.anchorLabel

Client opaque token beradi; biz uni consumer’ning introspection_urliga yuboramiz; consumer bizning kanonik formatda userni qaytaradi. Keyin upsert.

Qachon: opaque token, yoki consumer imzo kalitini bermaydi (RFC 7662 uslubi).

03 · ticket — biz beradigan socket chiptasi

heading.anchorLabel

Consumer backend (servis-servis auth bilan) bizdan qisqa muddatli, single-use socket ticket so’raydi; client o’sha ticket bilan ulanadi (wss://…/realtime?ticket=…). Biz IdP emasmiz — parol emas, sessiya chiptasi.

Qachon: brauzerga consumer JWT’sini oshkor qilmaslik kerak; biz socket sessiyasini nazorat qilamiz.