Concepts
Goiabada is useful in two main scenarios:
- Users accessing resources - When users need access to specific resources (such as a section of your application or an API) and you want to manage that access.
- Server-to-server communications - When servers need to access other servers, and you want to set defined permission levels for them.
Users accessing resources
Section titled “Users accessing resources”When you have users accessing resources, you need to know: who the user is (authentication), and whether they’re authorized to access that resource (authorization).
Goiabada uses two familiar web protocols:
- OpenID Connect handles the who’s who (authentication)
- OAuth2 takes care of who can do what (authorization)
Regardless of your app type (a web app on the server side, a web app using JavaScript, or a mobile native app), the recommended approach is the Authorization code flow with PKCE.
The Authorization code flow with PKCE works in two steps:
- The application requests an authorization code from the
/auth/authorizeendpoint - It exchanges this code for an access token, a refresh token, and optionally an ID token at the
/auth/tokenendpoint
PKCE adds an extra layer of security by preventing interception of the authorization code, especially in public clients like mobile or single-page applications.
Server-to-server communications
Section titled “Server-to-server communications”When you have a set of servers working together, and you want to ensure that only the right clients can access resources on a specific server, use the Client credentials flow with a confidential client.
Learn more about OAuth2
Section titled “Learn more about OAuth2”OAuth2 covers a lot of ground. To delve deeper into it, check out https://www.oauth.com/