Hi Devs, I had an offline discussion with prabath. This is the security architecture we came up with the Stratos Manager, both frontend and the backend.
https://docs.google.com/drawings/d/1zXAr_A66syMUMkDO044l3HiroZgzv5g9mQQbfMJDotA/edit?usp=sharing Here i explain the steps, please refer the diagram for numbering. 1. User comes to the Stratos Manager portal. 2. get redirected to Identity server 3. User logged in at the identity server and the redirection happens with a SAML assertion with logged in user claims. - This flow completes the SSO login for Stratos Manager portal. After this flow Stratos manager portal knows the logged in user role/behavior and customize the user experience as per the logged in user. - Stratos Manager contacts the backend REST api for operations. REST API is secured using OAuth and it expects a valid OAuth access token. 4/5. Stratos manager get a OAuth access token from the IS using SAMLs grant type. (gives a SAML token and gets an access token) 6. access the backend REST API using retrieved access token for the user. 7. REST API validates the incoming request by calling the validation endpoint of OAuth server (identity server). WDYT ? thanks, --Pradeep
