Yet another auth service
Objectives:
- Allow single sign on to multiple registered applications
- Organization is the key feature
- Manage users within the organization
- Email and password login by default
- Allows OAuth2 login with Google, Facebook, GitHub, etc
- User visits an application
- Application redirects to yaas
- yaas let the user login
- yaas redirects back to the application with an authorization code
- application exchanges the authorization code for an access token
- application uses the access token to access the user's information
- application store access token in cookie
- application let's the user access the application
- There must be a process where a super admin is created
- The application should not be accessible until the super admin is created
- Rust Backend
- REST
User:
- id
- name
- status
- created_at
- updated_at
- deleted_at
Password:
- id
- password
- created_at
- updated_at
Org:
- id
- name
- status
- owner_id
- created_at
- updated_at
- deleted_at
OrgMember:
- id
- org_id
- user_id
- roles
- status
- created_at
- updated_at
App:
- id
- name
- secret
- redirect_uri
- created_at
- updated_at
- deleted_at
OrgApp:
- id
- org_id
- app_id
- created_at
OauthCode:
- id
- code
- state
- redirect_uri
- scope
- app_id
- org_id
- user_id
- created_at
- expires_at
- SuperAdmin
- OrgAdmin
- OrgMember
- User management
- App management
- Org management
- Org member management
- Org app management
- Own org management
- Own org member management
- Own org app management
- GET
/oauth/authorize- Query parameters: { client_id, redirect_uri, scope, state }
- If not logged in, redirect to login page first then back to this endpoint
- If there are validation errors, redirect to
redirect_uriwith error parameters: { error, error_description, state } - On success, redirect to
redirect_uriwith parameters: { code, state }
- POST
/oauth/token- Post payload: { client_id, client_secret, code, state, redirect_uri }
- Response: { access_token, scope, token_type }
Setup Endpoints:
- GET
/setup - POST
/setup
Auth Endpoints (for users):
- POST
/auth/authorize
OAuth Endpoints (for apps):
- POST
/oauth/authorize- User must be authorized first
- Post payload: { client_id, redirect_uri, scope, state }
- Response: { code, state }
- POST
/oauth/token- Post payload: { client_id, client_secret, code, redirect_uri }
- Response: { access_token, scope, token_type }
Health Endpoints:
- GET
/health/live- Response:
{ "status": "UP" } - Returns
200when process is alive
- Response:
- GET
/health/ready- Response:
{ "status": "UP|DOWN", "message": "...", "checks": { "database": "UP|DOWN" } } - Returns
200when all readiness checks pass, otherwise503
- Response:
Kubernetes probe example:
livenessProbe:
httpGet:
path: /health/live
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 10User Endpoints:
- GET
/user - GET
/user/authz - POST
/user/change-password - PUT
/user/auth-context
Users Endpoints:
- GET
/users - POST
/users - GET
/users/{user_id} - PATCH
/users/{user_id} - PUT
/users/{user_id}/password - DELETE
/users/{user_id}
Apps Endpoints:
- GET
/apps - POST
/apps - GET
/apps/{app_id} - PATCH
/apps/{app_id} - DELETE
/apps/{app_id}
Orgs Endpoints:
- GET
/orgs - POST
/orgs - GET
/orgs/{org_id} - PATCH
/orgs/{org_id} - DELETE
/orgs/{org_id}
Org Members Endpoints:
- GET
/orgs/{org_id}/members - POST
/orgs/{org_id}/members - GET
/orgs/{org_id}/members/{user_id} - PATCH
/orgs/{org_id}/members/{user_id} - DELETE
/orgs/{org_id}/members/{user_id} - GET
/orgs/{org_id}/member-suggestions
Org Apps Endpoints:
- GET
/orgs/{org_id}/apps - POST
/orgs/{org_id}/apps - GET
/orgs/{org_id}/apps/{app_id} - DELETE
/orgs/{org_id}/apps/{app_id} - GET
/orgs/{org_id}/app-suggestions
2026-03-31 Objectives:
- Merge API and Website app into one app
- Migrate smoke tests to bin runner