Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:security:dev:security [2023/12/01 13:14] chalupat [The authentication flow from front] |
devel:documentation:security:dev:security [2023/12/01 16:19] chalupat [The authentication flow from external application (hub, ...)] |
||
---|---|---|---|
Line 246: | Line 246: | ||
==== The authentication flow from front ==== | ==== The authentication flow from front ==== | ||
- | {{ .:oidc_auth.png? | + | {{ .:oidc_1.png? |
1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login. | 1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login. | ||
- | 2) IDM redirects user to OIDC providers login page | + | 2) IDM redirects user to OIDC providers login page (adress from .well-known endpoint on OIDC providers or can be overwritten in config) |
3) User login on OIDC providers page | 3) User login on OIDC providers page | ||
Line 256: | Line 256: | ||
4) User gets redirected back to IDM with " | 4) User gets redirected back to IDM with " | ||
- | 5) IDM uses " | + | 5) IDM uses " |
6) After validation IDM creates CIDMST token (with externalID set to SID) | 6) After validation IDM creates CIDMST token (with externalID set to SID) | ||
Line 265: | Line 265: | ||
==== The authentication flow from external application (hub, ...) ==== | ==== The authentication flow from external application (hub, ...) ==== | ||
- | {{ .:oicd_external_auth.png? | + | {{ .:oidc2_1.png? |
1) Authentication happens on external application | 1) Authentication happens on external application | ||
- | 2) When accessing a resource, external application presents access token (in header " | + | 2) When accessing a resource, external application presents access token (in header " |
3) IDM validates token on OIDC provider | 3) IDM validates token on OIDC provider | ||
4) If user has access to resource returns it | 4) If user has access to resource returns it | ||
+ | |||
+ | |||
+ | ==== Single logout flow from IDM ==== | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | 1) User clicks on logout button so front redirects him to api endpoint for OIDC logout. | ||
+ | |||
+ | 2) IDM redirect him to logout endpoint on OIDC provider (adress from .well-known endpoint on OIDC providers or can be overwritten in config) | ||
+ | |||
+ | 3) OIDC provider calls IMD and IDM invalidates all tokens with SID (from JWT token) | ||