Authentication of end-users through end-user applications to the Mosaic platform is handled through the User service. This service relies on the industry standard OAuth 2.0 protocol for handling authentication and authorization. The User service can be configured to be used with any OAuth 2.0 compatible Identity Provider.
This document describes overview and terminology related to the User service.
An end-user application is a software client that runs on either the Web, Mobile or even TV, allowing a user to browse, and consume artifacts published through or stored in the management system. This could be a catalog of movies, which the user will chose to stream, various subscription plans and billing details, or even some user specific details such as their favourite movie list.
For the user to consume these artifacts, the end-user application must know the user’s identity, so that it can make requests to the management system and make these artifacts specific to that user available.
For example, the management system might have published a catalog of movies, and the user is entitled to watch a subset of those movies according to the subscription plan they have purchased. For the management system services to determine which movies a specific user is entitled to stream, it should know the identity of the user.
The end-user authentication flows are used for this purpose, to determine the identity of a user that is using an end-user application. Mosaic User Service allows end-users to sign in with any Identity Provider that is either compatible with Open ID Connect or OAuth 2.0 protocols. It further gives the functionality along with AxAuth Service to maintain a standalone user store for the given end-user application.
The following section describes the terminology related to the User service. These terms are used throughout our documentation including the howto-guides.
This is the end user that signs in to an application and consumes the artifacts produced by the Mosaic management system (i.e. Movie Catalog, Subscription Plans).
A piece of software that runs a web or a native client that gives end-users an interface to consume the produced artifacts by the Management system. These applications are defined in the User service configuration in the Environment Administration portal.
Identity Provider (IDP)
An IDP Connection is a configured IDP to be used within the User service with specific information such as the Client ID, Client Secret, Authorization Endpoint URL, Token Endpoint URL etc. A configured IDP connection can be connected to an Application.
A managed IDP is an ID provider which the basic configuration is supported out of the box by the User service. When setting up an IDP Connection for a Managed IDP, the administrators only need to define the Client ID and Client Secret properties. All the endpoint URLs will be pre-defined and user information retrieval from the IDP is supported by the framework itself.
A Custom IDP is an ID provider that is not supported as a Managed IDP. Any ID Provider that supports the OAuth 2.0 Authorization Code Flow with PKCE can be configured to work with User service as a Custom IDP. This feature is also called "Bring Your Own IDP". Additional configuration is required for IDP Connections using Custom IDPs.