DS Server comes with a fully-featured, included OAuth authentication server that enables users to add Security Profiles to access the document services using access tokens or by using the Client ID and Client Secret directly. But what if multiple instances of DS Server are used for load balancing or when your backends are distributed across multiple regions, countries and continents?
In the current version, all security profiles must be cloned on all instances of DS Server, so that each request is able to authenticate the user. This implied another problem: During the OAuth process, an access token is provided. If this access token is then used on another server, this instance doesn't know this token and the request will be denied.
The solution to this problem is a new feature of DS Server that allows each instance of DS Server to accept authentication requests from other DS Server instances. The following illustration shows a typical request flow:
The instance DS Server #1 doesn't have any security profiles, but lists DS Server #2 as an Authentication Server. When a request is coming to instance DS Server #1 based on a specific user profiles (Profile #1), DS Server #1 is asking DS Server #2, if the authentication is valid. If yes, the request is accepted and processed on DS Server #1.
The actual server load is happing on DS Server #1 and based on your used load balancing distribution algorithm, the load can be balanced accordingly.
Central Authentication Server
This structure allows different server setups and the deployment can be tailored to the exact requirements when it comes to scalability. The following diagram shows a central server that takes care of all authentication requests. DS Server #1 is the only server with security profiles and is handling all requests for connected servers.
Distributed Authentication Servers
In this case, all instances (or some) are able to authenticate each request. This allows a better redundancy and authentication requests can be processed even if a central server is not available or accessible.
The portal and the Web API have been extended to add authentication server URLs. The following screenshot shows the new portal section Authentication where 2 servers have been added:
Stay tuned for more features of DS Server 3.1.0.