Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
devel:documentation:security:dev:security [2023/12/01 15:22]
chalupat [The authentication flow from front] 		devel:documentation:security:dev:security [2023/12/01 16:19] (current)
chalupat [The authentication flow from external application (hub, ...)]
Line 246: Line 246:
 ==== The authentication flow from front ==== ==== The authentication flow from front ====
  
-{{  .:oidc.png?nolink&1061x612  }}+{{  .:oidc_1.png?nolink&1061x612  }}
  
 1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login. 1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login.
  
-2) IDM redirects user to OIDC providers login page+2) IDM redirects user to OIDC providers login page (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
  
 3) User login on OIDC providers page 3) User login on OIDC providers page
Line 256: Line 256:
 4) User gets redirected back to IDM with "code" 4) User gets redirected back to IDM with "code"
  
-5) IDM uses "code" to get from OIDC provider, ID token and Access token+5) IDM uses "code" to get from OIDC provider, ID token and Access token (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
  
 6) After validation IDM creates CIDMST token (with externalID set to SID) 6) After validation IDM creates CIDMST token (with externalID set to SID)
Line 265: Line 265:
 ==== The authentication flow from external application (hub, ...) ==== ==== The authentication flow from external application (hub, ...) ====
  
-{{  .:oicd_external_auth.png?nolink&732x926  }}+{{  .:oidc2_1.png?nolink&889x698  }}
  
 1) Authentication happens on external application 1) Authentication happens on external application
  
-2) When accessing a resource, external application presents access token (in header "Authorization" and value starts with "Bearer")+2) When accessing a resource, external application presents access token (in header "Authorization" and value starts with "Bearer") (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
  
 3) IDM validates token on OIDC provider 3) IDM validates token on OIDC provider
  
 4) If user has access to resource returns it 4) If user has access to resource returns it
 +
  
 ==== Single logout flow from IDM ==== ==== Single logout flow from IDM ====
 +
 +{{  .:oidc3_1.png?nolink&881x369  }}
  
 1) User clicks on logout button so front redirects him to api endpoint for OIDC logout. 1) User clicks on logout button so front redirects him to api endpoint for OIDC logout.
  
-2) IDM redirect him to logout endpoint on OIDC provider+2) IDM redirect him to logout endpoint on OIDC provider (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
  
 3) OIDC provider calls IMD and IDM invalidates all tokens with SID (from JWT token) 3) OIDC provider calls IMD and IDM invalidates all tokens with SID (from JWT token)
  
  
  • by chalupat