|
| 1 | +# 🔐 Auth Flows |
| 2 | + |
| 3 | +Authentication in UltimateAuth is not a single operation. |
| 4 | + |
| 5 | +👉 It is a **flow-driven system**. |
| 6 | + |
| 7 | +<br> |
| 8 | + |
| 9 | +## 🧠 What is an Auth Flow? |
| 10 | +An auth flow represents a complete authentication operation, such as: |
| 11 | + |
| 12 | +- Logging in |
| 13 | +- Refreshing a session |
| 14 | +- Logging out |
| 15 | + |
| 16 | +Each flow: |
| 17 | + |
| 18 | +- Has a defined lifecycle |
| 19 | +- Runs through the orchestration pipeline |
| 20 | +- Produces a controlled authentication outcome |
| 21 | + |
| 22 | +👉 Instead of calling isolated APIs, you execute **flows**. |
| 23 | + |
| 24 | +## 🔄 Why Flow-Based? |
| 25 | +Traditional systems treat authentication as: |
| 26 | + |
| 27 | +- A login endpoint |
| 28 | +- A token generator |
| 29 | +- A cookie setter |
| 30 | + |
| 31 | +👉 These approaches often lead to fragmented logic. |
| 32 | + |
| 33 | +UltimateAuth solves this by: |
| 34 | +- Structuring authentication as flows |
| 35 | +- Enforcing a consistent execution model |
| 36 | +- Centralizing security decisions |
| 37 | + |
| 38 | +<br> |
| 39 | + |
| 40 | +## 🧩 What Happens During a Flow? |
| 41 | +Every flow follows the same pattern: |
| 42 | +``` |
| 43 | +Flow → Context → Orchestrator → Authority → Result |
| 44 | +``` |
| 45 | + |
| 46 | +- The **flow** defines the intent |
| 47 | +- The **context** carries state |
| 48 | +- The **orchestrator** coordinates execution |
| 49 | +- The **authority** enforces rules |
| 50 | + |
| 51 | +👉 This ensures consistent and secure behavior across all operations. |
| 52 | + |
| 53 | +<br> |
| 54 | + |
| 55 | +## 🔐 Types of Flows |
| 56 | +UltimateAuth provides built-in flows for common scenarios: |
| 57 | + |
| 58 | +### 🔑 Login Flow |
| 59 | +Establishes authentication by: |
| 60 | + |
| 61 | +- Validating credentials |
| 62 | +- Creating session hierarchy (root, chain, session) |
| 63 | +- Issuing tokens if required |
| 64 | + |
| 65 | +👉 [Learn more](./login-flow.md) |
| 66 | + |
| 67 | +### 🔄 Refresh Flow |
| 68 | +Extends an existing session: |
| 69 | + |
| 70 | +- Rotates refresh tokens |
| 71 | +- Maintains session continuity |
| 72 | +- Applies sliding expiration |
| 73 | + |
| 74 | +👉 [Learn more](./refresh-flow.md) |
| 75 | + |
| 76 | +### 🚪 Logout Flow |
| 77 | +Terminates authentication: |
| 78 | + |
| 79 | +- Revokes session(s) |
| 80 | +- Invalidates tokens |
| 81 | +- Supports device-level or global logout |
| 82 | + |
| 83 | +👉 [Learn more](./logout-flow.md) |
| 84 | + |
| 85 | +<br> |
| 86 | + |
| 87 | +## 🧠 Supporting Concepts |
| 88 | +These flows operate on top of deeper system models: |
| 89 | + |
| 90 | +### 🧬 Session Lifecycle |
| 91 | + |
| 92 | +- Root → Chain → Session hierarchy |
| 93 | +- Device-aware session structure |
| 94 | +- Lifecycle management and revocation |
| 95 | + |
| 96 | +👉 [Learn more](./session-lifecycle.md) |
| 97 | + |
| 98 | +### 🎟 Token Behavior |
| 99 | + |
| 100 | +- Access token vs refresh token |
| 101 | +- Opaque vs JWT |
| 102 | +- Mode-dependent behavior |
| 103 | + |
| 104 | +👉 [Learn more](./token-behavior.md) |
| 105 | + |
| 106 | +### 📱 Device Management |
| 107 | + |
| 108 | +- Device binding |
| 109 | +- Multi-device sessions |
| 110 | +- Security implications |
| 111 | + |
| 112 | +👉 [Learn more](./device-management.md) |
| 113 | + |
| 114 | +<br> |
| 115 | + |
| 116 | +## 🧠 Mental Model |
| 117 | + |
| 118 | +If you remember one thing: |
| 119 | + |
| 120 | +👉 **Authentication is not a single step** |
| 121 | +👉 **It is a controlled flow of state transitions** |
| 122 | + |
| 123 | +## 📌 Key Takeaways |
| 124 | + |
| 125 | +- Authentication is executed as flows |
| 126 | +- Each flow follows a consistent pipeline |
| 127 | +- Sessions and tokens are created as part of flows |
| 128 | +- Security is enforced centrally |
| 129 | + |
| 130 | +--- |
| 131 | + |
| 132 | +## ➡️ Next Step |
| 133 | + |
| 134 | +Start with the most important flow: |
| 135 | + |
| 136 | +👉 Continue to **Login Flow** |
0 commit comments