Goals
- Provide secure, simple login across local and Google OAuth.
- Avoid duplicate accounts when Google returns an email that already exists.
- Keep user identity records normalized for future identity providers.
User–Server Flow
Key Points
- Normalize emails (lowercase, trim) before matching or storing.
- On Google callback, if
normalized_email exists, link identity to the existing user; otherwise create a new user.
- No email verification step is required for Google login, but deduplication prevents duplicate accounts.
Components
- Auth Service: endpoints for local and Google OAuth, session issuance.
- Identity Store: maps provider identities (e.g., Google
sub) to internal users.
- Auth Tokens: stateless JWT with optional Redis blacklist for revocation.
Non-functional Requirements
- Rate-limit login endpoints.
- Log auth events for auditing.
- Hash passwords with a strong algorithm (e.g., bcrypt, argon2) for local login.