Token issuing
Account token, branch token, refresh token và JWKS của Go Identity Service.
Token issuing
Token roles
Identity issue ba vai trò token:
| Token | Scope | Dùng cho |
|---|---|---|
accountAccessToken | account-scoped token | select/switch branch |
accessToken | branch-scoped token | business APIs sau khi chọn branch |
refreshToken | refresh token | refresh session/token |
refreshToken cũng được set làm HttpOnly cookie khi applicable.
Login single branch
POST /api/auth/login
→ accessToken
→ refreshToken
→ nextAction.type = load_current_contextKhi customer chỉ có một active branch, Identity apply branch scope vào auth_session và issue branch-scoped accessToken.
Login multi branch
POST /api/auth/login
→ accountAccessToken
→ refreshToken
→ branches[]
→ nextAction.type = select_branchFrontend hiển thị branch selection và gọi POST /api/auth/select-branch.
Select branch
accountAccessToken
→ POST /api/auth/select-branch
→ accessToken
→ nextAction.type = load_current_contextIdentity validate account token, kiểm tra branch selectable, update auth_session với:
workspace_idmember_idactive_branch_id
Sau đó Identity issue branch-scoped accessToken.
Claims confirmed từ code
Common access claims:
account_idaccount_typesession_idtyptoken_typetoken_scope
Branch access claims:
workspace_idtenant_idmember_idactive_branch_idbranch_idsroles
Refresh token claims:
account_idsession_idtoken_type
Standard JWT fields used:
subissiatexpjti
Confirmed token values:
| Token kind | token_type | token_scope |
|---|---|---|
| account token | account | ACCOUNT |
| branch token | workspace | BRANCH |
| system token | system | SYSTEM |
| refresh token | refresh | Chưa dùng như access scope |
JWKS
Identity publish public keys tại:
GET /.well-known/jwks.jsonGateway dùng:
http://centeros-identity-service:8081/.well-known/jwks.jsonIdentity signs token bằng RSA key config từ env vars. Không ghi private key hoặc public key value vào docs.
TODO
- Chưa đóng: system token compatibility matrix ngoài auth checkpoint.