Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
devel:documentation:security:dev:security [2023/12/01 13:06]
chalupat [The authentication flow] 		devel:documentation:security:dev:security [2023/12/01 16:19] (current)
chalupat [The authentication flow from external application (hub, ...)]
Line 219: Line 219:
 @since 13.1.0 @since 13.1.0
  
-This feature is disabled by default. If you want to enable it, see configuration properties [[this>wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#oidc_authentication_filter|application]]+This feature is disabled by default. If you want to enable it, see configuration properties [[this>devel/documentation/application_configuration/dev/backend#oidc_authentication|application]]
  
 CAS Service for OIDC configuration: CAS Service for OIDC configuration:
Line 243: Line 243:
 </code> </code>
  
-==== The authentication flow from front  ==== 
  
-{{  .:oidc_auth.png?nolink&1490x975  }}+==== The authentication flow from front ==== 
 + 
 +{{  .:oidc_1.png?nolink&1061x612  }}
  
 1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login. 1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login.
  
-2) IDM redirects user to OIDC providers login page+2) IDM redirects user to OIDC providers login page (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
  
 3) User login on OIDC providers page 3) User login on OIDC providers page
Line 255: Line 256:
 4) User gets redirected back to IDM with "code" 4) User gets redirected back to IDM with "code"
  
-5) IDM uses "code" to get from OIDC provider, ID token and Access token+5) IDM uses "code" to get from OIDC provider, ID token and Access token (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
  
 6) After validation IDM creates CIDMST token (with externalID set to SID) 6) After validation IDM creates CIDMST token (with externalID set to SID)
  
 7) IDM redirects to front with CIDMST 7) IDM redirects to front with CIDMST
 +
  
 ==== The authentication flow from external application (hub, ...) ==== ==== The authentication flow from external application (hub, ...) ====
  
-{{  .:oicd_external_auth.png?nolink&732x926  }}+{{  .:oidc2_1.png?nolink&889x698  }}
  
 1) Authentication happens on external application 1) Authentication happens on external application
  
-2) When accessing a ressource, external application presents access token (in header "Authorization" and value starts with "Bearer")+2) When accessing a resource, external application presents access token (in header "Authorization" and value starts with "Bearer") (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
  
 3) IDM validates token on OIDC provider 3) IDM validates token on OIDC provider
  
 4) If user has access to resource returns it 4) If user has access to resource returns it
 +
 +
 +==== Single logout flow from IDM ====
 +
 +{{  .:oidc3_1.png?nolink&881x369  }}
 +
 +1) User clicks on logout button so front redirects him to api endpoint for OIDC logout.
 +
 +2) IDM redirect him to logout endpoint on OIDC provider (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +3) OIDC provider calls IMD and IDM invalidates all tokens with SID (from JWT token)
  
  
  • by chalupat