Auth Service

The Auth service is the core security module of the Platon platform. This service is responsible for authenticating users, verifying their identity, and managing authorization levels. It integrates with all other modules and provides a unified security layer across the platform.

The Auth service performs the following key responsibilities:

User authentication
Login and logout flow management
Access and Refresh token generation
Authorization management using roles and permissions
Support for multiple authentication methods (email, phone, OAuth, etc.)
Enforcement of security policies and token expiration rules

This section provides a complete overview of the Auth service architecture, configuration, endpoints, and integration flows.

The Auth service ensures secure user access to the system. The platform supports multiple authentication methods, each with its own parameters and security requirements.

1. Email + Password

Description: Traditional login method.
Required parameters:
- email (string) — user email address
- password (string) — user password
Response: Access token (JWT), Refresh token
Authorization: Access to endpoints is determined by the user’s roles and permissions

2. Phone Number + OTP

Description: Login using a phone number and a one-time password (OTP).
Required parameters:
- phone (string) — user phone number
- otp (string) — one-time verification code
Response: Access token, Refresh token
Additional: Two-factor authentication (2FA) is supported

3. OAuth2

Supported Providers

Google — Login via Google account
Facebook — Login via Facebook account
OneId — Login via Uzbekistan Unified Identification System
AppleOauth2 — Login via iCloud / Apple ID
KeyCloak — Login via Keycloak account
Linkedin — Login via LinkedIn account
FaceId — Login via facial recognition

Description

Authentication via external OAuth2 providers.

Required parameters

method — OAuth provider name (e.g., Google, Facebook)
client_id
client_secret
code
redirect_uri
Other provider-specific parameters
(Optional) otp — for 2FA verification

Response

Access token
Refresh token

Authorization

Determined by platform-specific roles and permissions.

4. Digital Signature (E-signature / RS-signature)

Description: User authentication via electronic digital signature
Required parameters:
- pkcs7 (string) — digital signature payload
- (Optional) otp — 2FA verification code
Response: Access token or authenticated session
Additional: Mobile login and timestamp validation are supported

5. Session Renewal via Refresh Token

Description: Generates a new Access token using a previously issued Refresh token
Required parameters:
- refreshToken (string)
Response: New Access token
Authorization: Based on the user’s current roles and permissions

6. Special Access (Admin, Internal, Multi-factor)

Special login scenarios are available based on user roles and permissions:

Admin or operator authentication
Session termination and invalidation
JWT configuration updates (restricted to authorized users only)

🔑 Additional Security Principles

Passwords are stored in encrypted/hashed form (e.g., Pbkdf2Sha256Hasher or MD5)
Two-factor authentication (2FA) using OTP is supported
Tokens (JWT) are time-limited and expire automatically
Roles and permissions are validated for every authentication method

This section provides a comprehensive overview of all authentication methods available in the Auth service, including required parameters and applied security policies.

Auth Service ​

Authentication Methods (Login Methods) ​

1. Email + Password ​

2. Phone Number + OTP ​

3. OAuth2 ​

Supported Providers ​

Description ​

Required parameters ​

Response ​

Authorization ​

4. Digital Signature (E-signature / RS-signature) ​

5. Session Renewal via Refresh Token ​

6. Special Access (Admin, Internal, Multi-factor) ​

🔑 Additional Security Principles ​