Link

Architecture

Table of Contents

  1. Overview
  2. Components
    1. Authentication Server: Authentication and Session/Token Validation
    2. Mobile SDK
    3. Protected Application and/or IdP
    4. Supporting Components
      1. Database Server
      2. Redis
      3. Push Messaging: Google FCM & APNS

Overview

The figure below gives a high-level overview of the nextAuth architecture. Note that it does not show supporting components and detailed communication flows.

nextAuth Achitecture

Components

Authentication Server: Authentication and Session/Token Validation

The nextAuth Authentication Server (NAS) is responsible for handling all communication with the mobile app while performing authentication, transaction signing, push messages… The NAS also acts as session/token validation server towards all integrated applications. The NAS exposes a REST API, which can either be directly integrated in the business application, or indirectly, through an Identity Provider (IdP) or Resource Gateway.

Mobile SDK

The nextAuth Mobile SDK runs as part of the mobile app and provides all necessary functionality to perform authentication towards the NAS. The Mobile SDK consists of a hardened compiled library which contains all security sensitive functions. The compiled library is wrapped in an integration layer which provides the functions to interact with the hardened part. The integration layer is available for both Android and iOS.

Protected Application and/or IdP

The NAS on its own only provides a REST API. Custom developed applications can directly interact with this application. There are however plenty of ways to integrate nextAuth into existing software:

  • through a reverse proxy (e.g. nginx with nextAuth configuration), which injects the necessary headers for the application;
  • through SAML or OIDC, using the nextAuth IdP;
  • through a third-party IdP, either with a nextAuth plugin or a delegation to the nextAuth IdP.

Supporting Components

Database Server

The NAS requires a MySQL/MariaDB instance. For production environments, we recommend running a clustered database server to ensure high availability.

Redis

A Redis instance is required for synchronisation between NAS instances and for in-memory storage.

Push Messaging: Google FCM & APNS

The NAS requires access to Google FCM and APNS in order to send out push messages to mobile devices.