4.1. Authentication

This application uses OAuth 2.0 Server to authenticate users. Each service should use Password Credentials Grant in need of new access token.

The Password grant type is used by first-party clients to exchange a user's credentials for an access token. Since this involves the client asking the user for their password, it should not be used by third party clients.

Other grant types are disabled for now. For more information on how to configure OAuth 2.0 Server see go-oauth2/oauth2.

For refreshing tokens client should call authentication server's http endpoints directly. User service calls auth services only when user requests access token or registers with social media.

Token verification can be done in two ways:

• asking auth service if token is valid, which would be the correct way
• verifying token using authenticator (this works because both services uses the same secret)

upon changing that ideally call auth service for verification using TokenAuthOauthHandler instead of TokenAuthSecretHandler