Overview
The auth-svc serves as an access control service that works alongside duo-server to provide secure access control for phone to duo-server communication. The integration involves two distinct APIs:
Hooks: Duo-server communicates with auth-svc through hooks -- specialized endpoints that duo-server calls to validate operations or notify about events. These hooks act as the authorization layer, allowing auth-svc to approve or reject duo-server's operations based on your application's access control.
Hooks communication happens via a local IPC channel such as UDS or internal HTTP within the same network boundary (e.g., Docker network).
Registration: In addition to hooks, auth-svc must expose user-facing endpoints for user and device registration. This establishes the identity of users and their devices.
The user and device registration endpoints are not directly required by the hooks, but are necessary for persisting the user and device identity.
Registration Phase -- User facing APIs
Duo-Server Operations Phase -- Hooks
Each device is uniquely identified by a device ID, which is an ECDSA public key that serves as both the device identifier and authentication mechanism.
- Phone sends requests to duo-server with device ID (public key) + signature
- Duo-server verifies signature using received device ID (no storage of device IDs)
- Auth-svc persists device IDs and links device IDs to users using registration endpoints
- Authorization happens through hooks when duo-server queries auth-svc