Authlink Overview
Authlink is a comprehensive OAuth2 and OpenID Connect (OIDC) authorization server that provides secure identity and access management. This overview section explains the core concepts that form the foundation of Authlink's architecture.
Concepts
Authlink is built around three fundamental concepts that work together to provide comprehensive authorization:
Subjects
Users and system identities that authenticate with the system. Subjects have stable identities, roles, permissions, and custom attributes that determine their access rights.
Clients
Applications that request authorization to access protected resources. Authlink supports both public clients (mobile apps, SPAs) and confidential clients (server applications) with appropriate security measures.
Audiences
Protected APIs and resources that clients can access. Audiences define what services are available and control who can access them through permissions, roles, and policies.
Why Authlink?
- Security First: Implements OAuth2 and OIDC security best practices by default
- Developer Friendly: Clean APIs and comprehensive documentation
- Enterprise Grade: Built for scale with multi-tenancy and advanced features
- Standards Compliant: Full OAuth2 2.1 and OpenID Connect compliance
- Flexible Architecture: Supports diverse application architectures and deployment patterns
Detailed Architecture
Now let's dive deeper into how these concepts work within Authlink's architecture:
Subjects
Subjects represent the entities that can be authenticated and authorized in the system. These are primarily users but can also include system identities. Every subject has a unique, immutable SubjectId that appears in OAuth2 and OIDC tokens as the sub claim.
Key characteristics:
- Stable identity across authentication sessions
- Role and permission-based access control
- Customizable attributes and profile information
- Tenant-based isolation support
Clients
Clients are applications that request authorization to access protected resources on behalf of subjects. Authlink supports both Public Clients (like mobile apps) and Confidential Clients (like server-side applications) with different security requirements and capabilities.
Key characteristics:
- OAuth2-compliant client authentication
- Flexible configuration for different application types
- Scope and permission management
- Advanced security features (PKCE, mTLS, IP restrictions)
Audiences
Audiences represent the protected resources and APIs that clients can access. In Authlink, these are called API Resources and they define what services are available and who can access them.
Key characteristics:
- Fine-grained permission and role-based access
- Client-specific authorization rules
- Token lifetime and issuance policies
- Application-level access control
How They Work Together
These concepts interact to form a complete authorization system:
- Subjects authenticate and are assigned roles and permissions
- Clients request access on behalf of subjects to specific scopes
- Audiences define what resources are available and validate access
- Tokens carry the subject identity and authorized permissions to audiences
OAuth2 and OIDC Compliance
Authlink implements these concepts while maintaining full compliance with OAuth2 and OpenID Connect specifications:
- OAuth2: Authorization framework for secure API access
- OpenID Connect: Identity layer built on OAuth2 for authentication
- Standard flows: Authorization Code, Client Credentials, and more
- Security best practices: PKCE, state parameters, secure token handling
Next Steps
Explore each concept in detail to understand how they work within Authlink's authorization model:
- Subjects - Learn about user identity and authentication
- Clients - Understand application integration patterns
- Audiences - Discover resource protection and access control
Understanding these foundational concepts will help you effectively design and implement secure authorization patterns with Authlink.