Unified Authentication Architecture
This page describes the target-state architecture of the unified authentication center, not the current implementation details of one specific consumer.
For the current runtime behavior, see:
This page describes the overall architecture of the unified authentication center rather than the local integration details of one single consumer application.
Here, the unified authentication center refers to the combination of:
geelato-auth-server: the backend authentication core and unified token issuergl-admin-sso: the authentication facade for platform-internal sitesgl-lite-sso: the lightweight embedded authentication facade for third-party applicationsgeelato-web-quickstart: the platform backend host that can embed unified authentication capabilities- platform sites such as
gl-admin-arco-rt-stdandgl-admin-arco-dt-std - third-party applications such as
freight-portal
This document answers four questions:
- what the overall boundary of the unified authentication center is
- how platform applications and third-party applications integrate differently
- how the unified token flows across systems
- how merged deployment and independent deployment can both be supported later
Overall Design Conclusion
Core Positioning
auth-serveris the backend core of the unified authentication centerauth-serveris the only issuer of the shared token used by all applicationsgl-admin-ssois the authentication frontend facade for platform sitesgl-lite-ssois the lightweight authentication frontend facade for third-party applications- platform applications and third-party applications no longer maintain separate primary token systems
Two Integration Targets
The unified authentication center serves two kinds of applications:
- platform-internal applications such as
rtanddt - third-party applications such as
freight-portal
The difference is not the authentication center itself, but the frontend facade used for integration:
- platform applications connect through
gl-admin-sso - third-party applications connect through
gl-lite-sso
Both types finally return to the same auth-server authentication and token model.
Deployment Conclusion (Target State)
The target-state deployment model is:
- in the short term, merged deployment is acceptable
- in the long term, independent deployment must be supported for
admin-sso,lite-sso,rt,dt, andauth-server
This section is target-state only. The current merged-deployment status and what is actually deployed in
geelato-web-quickstarttoday are described in Runtime / Designer Deployment and Dependencies.
Regardless of the deployment topology, the authentication model remains unchanged:
- there is only one source of truth for backend authentication
- there is only one unified token model
Overall Architecture
Frontend Entry Layer
- platform sites:
gl-admin-arco-rt-std,gl-admin-arco-dt-std - platform authentication facade:
gl-admin-sso - third-party authentication facade:
gl-lite-sso - third-party applications such as
freight-portal
Unified Authentication Backend Layer
- backend host:
geelato-web-quickstart - authentication core:
geelato-auth-server
Runtime Dependencies
- site configuration:
.config - database: authentication and platform databases
- Redis: authentication state, cache, and runtime coordination
Logical Relationships
- platform sites integrate with unified authentication through
gl-admin-sso - third-party applications integrate with unified authentication through
gl-lite-sso - both
gl-admin-ssoandgl-lite-ssoeventually callauth-server - both platform backends and third-party backends directly consume the unified token issued by
auth-server
Module Boundaries
Unified Authentication Center
auth-server: owns authentication protocols, login verification, unified token issuance, and unified user identityadmin-sso: the platform login facade, not the source of truth for authenticationlite-sso: the third-party lightweight login facade, not the source of truth for authentication
Platform Applications
rtdt- the
quickstartbackend host
Third-Party Applications
freight-portal- other external sites
Boundary Notes
- platform and third-party applications are consumers of the authentication center and should no longer define their own primary token
freight-portalis only an example consumer, not part of the authentication-center core itself- frontend facades may change, but the unified token model must stay stable
Unified Token Model
Unified Principle
- the primary credential returned after login is always the
access_tokenissued byauth-server - all applications use this token as the unified login credential
- business backends trust and consume this token directly
Meaning of the Unified Token
This means:
admin-ssodoes not mint its own tokenlite-ssodoes not mint its own token- platform sites do not mint their own primary token
- third-party applications do not mint their own primary token
The whole system has only one primary authentication credential model.
Platform Application Sequence
Platform applications refer to platform sites such as rt and dt.
Platform Main Sequence
- the user opens a platform site
- the platform site reads runtime configuration and authentication mode
- the platform site redirects to or embeds
gl-admin-sso - the user completes login in
gl-admin-sso gl-admin-ssocallsauth-serverfor authenticationauth-serverissues the unified token- the platform site receives the unified token
- the platform backend builds its business user context from that token
- the frontend enters the platform home page
Platform Chain Roles
- platform site: receives login state and handles page transitions
gl-admin-sso: handles platform login interactionauth-server: handles authentication and token issuance- platform backend: builds the business user context from the token
Third-Party Application Sequence
Third-party applications refer to freight-portal or other external business sites.
Third-Party Main Sequence
- the user opens the third-party application
- the third-party application loads
gl-lite-ssothrough iframe, popup, or page redirect - the user completes login in
gl-lite-sso gl-lite-ssocallsauth-serverfor authenticationauth-serverreturns the unifiedaccess_tokengl-lite-ssosendsLOGIN_SUCCESSback throughpostMessage- the third-party frontend passes the Bearer token to its own backend
- the third-party backend validates the token with
auth-serverand resolves the unified identity - the third-party application builds its own business user context
Third-Party Chain Roles
- third-party frontend: embeds the login facade, receives the token, and forwards it to its own backend
gl-lite-sso: handles lightweight login interactionauth-server: handles authentication and token issuance- third-party backend: handles token validation and identity mapping
Two Primary Chains
Platform Primary Chain
- platform site
gl-admin-ssoauth-server- platform backend
Typical scenarios:
- platform-internal applications
- platform administration sites
- applications deeply coupled with platform site configuration
Third-Party Primary Chain
- third-party application
gl-lite-ssoauth-server- third-party backend
Typical scenarios:
- lightweight integration
- iframe or popup integration
- external applications that do not want to adopt the full platform login-page system
Merged Deployment and Independent Deployment
Merged Deployment
In merged deployment, a practical arrangement is:
- host
admin-ssoandlite-ssoinside one host site - converge backend capabilities into
geelato-web-quickstart - host
auth-servercapabilities in an embedded or same-service mode
Notes:
- this is only deployment merging, not authentication-model merging
- merged deployment changes topology only, not the source of truth of the unified token
Independent Deployment
In independent deployment, the following parts can be split out:
rtdtadmin-ssolite-ssoauth-server
Notes:
- splitting changes deployment relationships only, not the unified token model
- the redirect contract and message contract of frontend facades must remain stable
Key Constraints
admin-sso
admin-ssois a platform authentication facade- it is currently hosted inside
auth-server/templatesas one same-origin template mode, which is a deployment choice, not a permanent architecture rule - the target-state direction is to evolve it into a standalone frontend deployment as long as the login entry and redirect contract stay stable
lite-sso
lite-ssomust remain a lightweight facade and must not evolve into a second authentication center- there must be an explicit
postMessageprotocol and origin allowlist betweenlite-ssoand third-party applications
Business Backends
- business backends must directly trust and validate the unified token
- business backends should not issue a new primary token again
Recommended Unified Message Contract
In embeddable scenarios, it is recommended that both lite-sso and admin-sso use a unified success message shape:
{
"type": "LOGIN_SUCCESS",
"data": {
"accessToken": "xxxx",
"refreshToken": "xxxx",
"expireInSeconds": 7200,
"tokenType": "Bearer",
"issuer": "auth-server"
}
}
Recommended principles:
- keep token as the center of the message contract
- a
userfield may exist as auxiliary data, but it is not the final trusted object - business sites should always trust the backend-confirmed user result
Security and Governance Requirements
Frontend Facades
- both
admin-ssoandlite-ssomust enforce explicit origin control - production environments must not use permissive
postMessagewildcard* - login success callbacks must use a strict
targetOrigin
Backend Requirements
- all business backends must use the unified token as the authentication entry
- token expiration, revocation, or invalidation must consistently result in unauthenticated responses
- business backends should provide a current-user endpoint for frontend initialization
Configuration Requirements
- platform sites choose between
admin-ssoand local mode through runtime configuration - third-party applications configure the
lite-ssoaddress, trusted origin, and callback strategy through runtime configuration
Benefits
Unified Authentication Center
- the whole system has only one authentication center
- the whole system has only one primary token model
- different application integration styles still share one source of truth
Clear Engineering Boundaries
auth-serverhandles authenticationadmin-ssohandles the platform login facadelite-ssohandles the lightweight third-party facade- business systems handle their own business context
Evolution Direction
The intended evolution is:
- start with merged deployment and split later
- onboard one third-party application first and reuse the pattern for others
- adjust deployment topology without changing the authentication model
This section describes the intended direction. It is not a current capability. Whether a specific evolution step has been delivered is reflected in the Operations and Reference Manual pages.
Minimum Acceptance Criteria (Target State)
auth-serveris the only token issuer- platform applications integrate through
admin-sso - third-party applications integrate through
lite-sso - both platform backends and third-party backends directly consume the unified token from
auth-server freight-portalis treated only as an example third-party consumer, not as part of the authentication-center core
This is the target-state acceptance bar. Whether each item is fully delivered today is reflected in Unified Authentication Overview and the Operations pages.