Authentication
Tarasol uses a multi-layered authentication system built on JWT tokens with support for SSO, delegation, and service-to-service authentication.
Token Types
| Token Type | Duration | Purpose |
|---|---|---|
| Access Token | 1 hour | API request authorization |
| Refresh Token | 7 days | Access token renewal |
| S2S Token | Configurable | Service-to-service auth |
| OTP Token | 5 minutes | One-time password verification |
Authentication Flow
Authentication Flow
Loading diagram...
Token Refresh
When an access token expires, the client can use the refresh token to obtain a new pair:
POST
/api/identity/refresh-tokenExchange a valid refresh token for new access + refresh tokens
SSO Integration (OpenAM)
Tarasol supports Single Sign-On via OpenAM:
- Client redirects to OpenAM login page
- OpenAM authenticates and redirects back with SSO token
- Identity Service validates SSO token with OpenAM
- JWT tokens issued for the authenticated user
Delegation
The delegation system allows users to grant their permissions to other users temporarily:
- Delegation Created — Admin service publishes
notify.delegation_created.requested - Delegation Cancelled — Admin service publishes
notify.delegation_cancelled.requested - Delegated users inherit the delegator's role and permissions for the delegation period
Session Management
Sessions are tracked in Redis with the following data:
- User ID and tenant context
- Login timestamp and last activity
- Device information
- IP address
Session Lifecycle
Loading diagram...
⚠Warning
JWT secrets must be configured consistently across all services. The JWT_SECRET environment variable must match between the Identity Service and all consuming services.