Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
devel:documentation:security:dev:security [2023/12/01 11:26]
chalupat [OIDC authentication] 		devel:documentation:security:dev:security [2023/12/01 16:19] (current)
chalupat [The authentication flow from external application (hub, ...)]
Line 219: Line 219:
 @since 13.1.0 @since 13.1.0
  
-This feature is disabled by default. If you want to enable it, see configuration properties [[this>devel/documentation/application_configuration/dev/backend#oidc_authentication_filter|application]]+This feature is disabled by default. If you want to enable it, see configuration properties [[this>devel/documentation/application_configuration/dev/backend#oidc_authentication|application]]
  
 CAS Service for OIDC configuration: CAS Service for OIDC configuration:
Line 225: Line 225:
 idm-oidc-201.json idm-oidc-201.json
 <code> <code>
 +
 { {
   "@class" : "org.apereo.cas.services.OidcRegisteredService",   "@class" : "org.apereo.cas.services.OidcRegisteredService",
Line 241: Line 242:
  
 </code> </code>
 +
 +
 +==== The authentication flow from front ====
 +
 +{{  .:oidc_1.png?nolink&1061x612  }}
 +
 +1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login.
 +
 +2) IDM redirects user to OIDC providers login page (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +3) User login on OIDC providers page
 +
 +4) User gets redirected back to IDM with "code"
 +
 +5) IDM uses "code" to get from OIDC provider, ID token and Access token (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +6) After validation IDM creates CIDMST token (with externalID set to SID)
 +
 +7) IDM redirects to front with CIDMST
 +
 +
 +==== The authentication flow from external application (hub, ...) ====
 +
 +{{  .:oidc2_1.png?nolink&889x698  }}
 +
 +1) Authentication happens on external application
 +
 +2) When accessing a resource, external application presents access token (in header "Authorization" and value starts with "Bearer") (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +3) IDM validates token on OIDC provider
 +
 +4) If user has access to resource returns it
 +
 +
 +==== Single logout flow from IDM ====
 +
 +{{  .:oidc3_1.png?nolink&881x369  }}
 +
 +1) User clicks on logout button so front redirects him to api endpoint for OIDC logout.
 +
 +2) IDM redirect him to logout endpoint on OIDC provider (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +3) OIDC provider calls IMD and IDM invalidates all tokens with SID (from JWT token)
  
  
  • by chalupat