Identity and Access Management (IAM) provides a secure access management to AccelByte backend services and resources. It provides multi-layer security system to allow and deny access to a large number of users, using customizable user and client roles and permissions. IAM provides two ways of authorizing access to AccelByte services and resources through direct access or a more secure implementation using API gateway.
Direct Access Implementation This implementation is mainly used to authenticate or authorize internal clients or services that are trusted, or can only be accessed privately through a secure internal networks, such as: services within the same cluster, whitelisted client applications.
API Gateway Implementation This implementation is mainly used to authenticate or authorize external clients or services that are public, such as 3rd party services, web applications, native applications.
Direct Access Implementation
Direct access implementation uses http basic authentication that includes client credentials (client ID and client secret) as authorization request header. In this case, you need to register a new client service or application through the IAM Client Management to get the credentials required to make the request. The credentials then will be sent to make sure the client has the right access. This basic authentication process is required to authenticate users during the login process where we use password grant type to exchange user’s credential with an access token. The access token contains credentials in a form of JWT(JSON Web Token) that has the same data structure as the response class generated from successful authentication request. You will then use the access token to authorize every request you make to IAM to grant access to the related services or resources. The access token is short lived and set to have the default expiration time of 4 hours. Thus, you will be required to extend it using the refresh token provided during successful authentication request. For more information regarding the token expiry time, please follow the document here.
API Gateway Implementation
The API Gateway implementation provides a more secure way to authorize access to our backend services and resources. It uses session ID instead of an access token to authorize users’ access. Thus, the access token will not be exposed publicly in order for a client application to make a request. This implementation uses authorization code flow to generate access token that will be done by the API Gateway instead of the client application directly. This will also make the request more secure by not having client secret information stored on the client application side. The access token then will be stored in API Gateway in exchange for a session ID that will be passed to the client application to be used. Everytime a client application makes a request, the API Gateway will authorize the session ID and pass the access token to IAM to grant access to the related services or resources. In this case the API Gateway will also handle the token refresh explained in the direct access implementation. For AccelByte enterprise environment, we use Login Website to reflect this implementation, where users will be redirected to the login website during the login process.
For more information, please read AccelByte IAM API References.