Auth service
Esta página aún no está disponible en tu idioma.
Rafiki’s auth service provides you with a reference implementation of an Open Payments authorization server and allows you to manage authentication and authorization on a per-tenant basis. You can use the auth service as an alternative to developing your own in-house service for grant authorization and authentication.
The authorization server:
- Authorizes incoming requests from clients (for example, third-party applications) to create payments and quotes on the backend
- Relays information about the interaction to the client and records the response
- Issues access tokens, which describe access rights, to clients and communicates with the resource server to validate those rights
You must have the following when using the auth service.
- A Redis database for storing session data
- A Postgres database, separate from the backendservice’s database, to store auth-related resources (grants, access tokens, and interactions)
- Integration with an identity provider
You must also set the environment variables for the auth service.
When a request comes from a client with an account known to your local instance of Rafiki, the auth service uses data stored in the auth service’s Postgres database.
When a request comes from a client registered with another instance of Rafiki, the auth service resolves the client’s key endpoint (for example, https://wallet.example.com/alice/jwks.json) to retrieve the client’s public keys, then filters out the correct key using the key id (kid) in the client’s signature.
Review the Open Payments documentation for more information about client keys.
An identity provider (IdP) is a system or service that manages user authentication, identity information, and consent. When you use your Google Account credentials to “Sign in with Google” on an app or website, for example, Google is acting as your identity provider. Each tenant must use their own IdP for authentication.
You must integrate with an IdP when using Rafiki’s auth service because the Open Payments standard requires interactive outgoing payment grant requests. In an interactive request, there must be explicit interaction by an individual (for example, a client’s end-user) to approve or deny the grant. In this case, the grant must be explicitly approved before an outgoing payment is created.
For more information about interactive grants and how they work with identity providers, review the Identity Provider page and the Grant negotiation and authorization page in the Open Payments docs.
The auth service exposes a GraphQL Auth Admin API to manage auth-related resources, such as Open Payments grants.
Required
| Variable | Helm value name | Default | Description | 
|---|---|---|---|
| ADMIN_API_SECRET | undefined | undefined | Operator API secret used to sign Auth Admin API requests (HMAC SHA‑256). Set to a strong, random value. Synced to the operator tenant on startup. | 
| AUTH_DATABASE_URL | config.auth.databaseUrl.valueorconfig.auth.databaseUrl.secretKeyRef | postgresql://postgres:password@localhost:5432/auth_development | The URL of the Postgres database storing your Open Payments grant data. Can be provided as a value or secret reference. | 
| AUTH_SERVER_URL | config.auth.authServerUrl | undefined | The public endpoint for your Rafiki instance’s public Open Payments routes. | 
| COOKIE_KEY | config.auth.cookieKey.valueorconfig.auth.cookieKey.secretKeyRef | undefined | The koa KeyGrip key that is used to sign cookies for an interaction session. | 
| IDENTITY_SERVER_URL | config.auth.identityServer.domain | undefined | The URL of your IdP’s server, used by the authorization server to inform an Open Payments client of where to redirect the end-user to start interactions. | 
| IDENTITY_SERVER_SECRET | config.auth.identityServer.serverSecret.valueorconfig.auth.identityServer.serverSecret.secretKeyRef | undefined | A shared secret between the authorization server and the IdP server; the authorization server will use the secret to secure its IdP-related endpoints. When the IdP server sends requests to the authorization server, the IdP server must provide the secret via an x-idp-secretheader. | 
| OPERATOR_TENANT_ID | undefined | undefined | The unique identifier of the operator. Must be a UUID v4 generated by the operator. | 
| REDIS_URL | config.auth.redisUrl.valueorconfig.auth.redisUrl.secretKeyRef | redis://127.0.0.1:6379 | The connection URL for Redis. Can be provided as a value or secret reference. | 
Conditionally required
| Variable | Helm value name | Default | Description | 
|---|---|---|---|
| TRUST_PROXY | config.auth.trustProxy | false | Must be set to truewhen running Rafiki behind a proxy. Whentrue, theX-Forwarded-Protoheader is used to determine if connections are secure. | 
Optional
| Variable | Helm value name | Default | Description | 
|---|---|---|---|
| ACCESS_TOKEN_DELETION_DAYS | config.auth.accessToken.deletionDays | 30 | The days until expired and/or revoked access tokens are deleted. | 
| ACCESS_TOKEN_EXPIRY_SECONDS | config.auth.accessToken.expirySeconds | 600(10 minutes) | The expiry time, in seconds, for access tokens. | 
| ADMIN_API_SIGNATURE_VERSION | undefined | 1 | The version of the HMAC SHA-256 request-signing algorithm used by the Auth Admin API. | 
| ADMIN_API_SIGNATURE_TTL_SECONDS | undefined | 30 | The TTL, in seconds, for which an Auth Admin API request signature is valid. | 
| ADMIN_PORT | config.auth.port.admin | 3003 | The port of your Rafiki Auth Admin API server. | 
| AUTH_PORT | config.auth.port.auth | 3006 | The port of your Open Payments authorization server. | 
| DATABASE_CLEANUP_WORKERS | config.auth.workers.cleanup | 1 | The number of workers processing expired or revoked access tokens. | 
| ENABLE_MANUAL_MIGRATIONS | undefined | false | When true, you must run the auth Postgres database manually with the commandnpm run knex – migrate:latest –envproduction | 
| INCOMING_PAYMENT_INTERACTION | config.auth.interaction.incomingPayment | false | When true, incoming Open Payments grant requests are interactive | 
| INTERACTION_EXPIRY_SECONDS | undefined | 600(10 minutes) | The time, in seconds, for which a user can interact with a grant request before the request expires. | 
| INTERACTION_PORT | undefined | 3009 | The port number of your Open Payments interaction-related APIs. | 
| INTROSPECTION_PORT | config.auth.port.introspection | 3007 | The port of your Open Payments access token introspection server. | 
| INTERACTION_COOKIE_SAME_SITE | config.auth.interaction.cookieSameSite | undefined | The SameSite attribute for interaction cookies. Valid values: lax,none. | 
| LIST_ALL_ACCESS_INTERACTION | undefined | true | When true, grant requests that include alist-allaction will require interaction. In these requests, the client asks to list resources that it did not create. | 
| LOG_LEVEL | config.auth.logLevel | info | Pino log level | 
| NODE_ENV | config.auth.nodeEnv | development | The type of node environment: development,test, orproduction. | 
| QUOTE_INTERACTION | config.auth.interaction.quote | false | When true, quote grants are interactive. | 
| REDIS_TLS_CA_FILE_PATH | undefined | '' | Redis TLS config | 
| REDIS_TLS_CERT_FILE_PATH | undefined | '' | Redis TLS config | 
| REDIS_TLS_KEY_FILE_PATH | undefined | '' | Redis TLS config | 
| SERVICE_API_PORT | undefined | 3011 | The port to expose the internal service API for receiving tenant information changes. | 
| WAIT_SECONDS | config.auth.grant.waitSeconds | 5 | The wait time, in seconds, included in a grant request response ( grant.continue). | 
When a client makes a request to a resource server, the resource server communicates with the authorization server to:
- Check the validity of the client’s access token
- Determine whether the client is authorized to access protected resources
This process is called token introspection.
The token-introspection package is a client library for making GNAP token introspection requests to an authorization server. It describes how the Rafiki backend and auth services communicate to validate access tokens. If you’re using Rafiki’s auth service, there’s nothing you need to do with this package. Rafiki automatically runs the package internally. If you’re writing your own auth service, you may find the files within the package to be helpful.