Unified Authentication
This chapter explains the current unified authentication integration boundary in Geelato Framework, focusing on the responsibility split between auth-server and lite-login, and on how third-party applications reuse the central authentication service.
What Unified Authentication Solves
The main goal is to decouple authentication from each business system's own session model:
auth-serverissues tokenslite-loginprovides the lightweight login facade- the third-party frontend receives the token and passes it to its own backend
- the third-party backend confirms the user identity against the authentication center
With this model, each new portal, SaaS application, or customer-owned system does not need to build its own username-password login flow.
Core Components
auth-server
auth-server is the unified authentication center and the only trusted token issuer.
It is responsible for:
- issuing access tokens
- exposing OAuth endpoints such as
/oauth2/userinfo - acting as the trusted identity source for third-party backends
lite-login
lite-login is the lightweight login facade exposed by the unified authentication center.
It is responsible for:
- hosting the login interaction
- supporting iframe embedding or popup-based integration
- returning login results to the third-party frontend through
postMessage
Scope
Recommended for:
- third-party portals
- third-party SaaS systems
- customer-owned systems
- frontend-backend separated applications that need embedded login
- independently deployed systems that want to reuse the central authentication service
Not intended for:
- the original platform-internal
admin-ssohosted login mode - monolithic login pages hosted directly inside
auth-server templates
Responsibility Boundary
Authentication Center
auth-serveris the only token issuerlite-loginis the lightweight login facadelite-loginreturns the token after login succeeds- the final trusted user identity still comes from backend confirmation through
/oauth2/userinfo
Third-Party Frontend
- opens or embeds
lite-login - listens to
postMessage - extracts
accessTokenortoken - stores the token temporarily
- passes
Authorization: Bearer <token>to its own backend
Third-Party Backend
- reads the Bearer token from request headers
- calls
/oauth2/userinfo - extracts
data.user - establishes account mapping, permission context, or local session state
Relationship to Other Framework Capabilities
Recommended boundaries:
- unified authentication: how to get the central token and confirm identity
- security authentication: how the platform runtime consumes the token and establishes the authenticated subject for the current request
- runtime security chain: how to establish backend security context after authentication succeeds
- MQL / ORM: how to access business data after identity is confirmed
Important note:
- the
userreturned inLOGIN_SUCCESSis only auxiliary display data on the frontend - the final trusted identity must be confirmed by the backend
SecurityContextmust only be written from the internal authenticated security flow
Entry Constraint
Use the explicit lightweight login entry:
https://<auth-host>/lite-login
Do not reuse:
/login?display=embedded
Each third-party application should still keep its own /login page as the entry handoff page, but it should not implement username-password authentication itself.
Suggested Reading Order
- Read Unified Authentication Architecture
- Read Security Authentication to understand the
DefaultSecurityInterceptorauth flow - Read lite-login Third-Party Integration
- Then read PlatformWebRuntime for the runtime security chain position
- If you also need platform-side data access, continue with MQL Overview