Authentication¶
Astra currently implements these authentication paths:
- authorization code
- password grant
- refresh token rotation
- custom API key grant
- MFA step-up using TOTP, email OTP, and WebAuthn
- OIDC federation through external identity providers
Supported OAuth Grant Types¶
authorization_codepasswordrefresh_tokenurn:astraauth:grant-type:api_key
API Key Status¶
API key authentication is implemented in code as a custom OAuth grant path and runtime API key authenticator.
Important distinction:
- implemented: custom API key grant support
- not implemented: Financial-grade API (FAPI) compliance or certification
Client Authentication¶
The current token endpoint supports:
client_secret_basicclient_secret_post
Runtime Surface¶
The normalized HTTP adapter lives in astraauth.core.adapters.oauth_http.OAuthHTTPAdapter, and astraauth.service composes it with session stores, token management, MFA, plugins, and OIDC federation.
Common Next Steps¶
- use MFA when a flow needs stronger assurance
- use the OIDC Federation guide when external providers are required
- use Authorization to enforce
ALLOW,DENY, andSTEP_UP