diff options
| author | mo khan <mo@mokhan.ca> | 2025-03-27 14:23:42 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-03-27 14:23:42 -0600 |
| commit | f4678f4c08f7439363b4d7f842de0a3dd4520352 (patch) | |
| tree | 331725f5582b8feb0212b367da7839697a2b6864 /doc | |
| parent | 284e89135081e879a31f9c3b6da7ffb608ec74d9 (diff) | |
docs: connect OIDC diagram to steps below
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/share/authz/DESIGN.md | 42 |
1 files changed, 21 insertions, 21 deletions
diff --git a/doc/share/authz/DESIGN.md b/doc/share/authz/DESIGN.md index 2ec7807f..51129a1c 100644 --- a/doc/share/authz/DESIGN.md +++ b/doc/share/authz/DESIGN.md @@ -102,39 +102,39 @@ OIDC Login Flow ```plantuml @startuml -Browser -> UI: Get dashboard +Browser -> UI: 1. Get dashboard UI --> Browser: Generate OAuth Grant Request and redirect to IdP -Browser -> IdP: Deliver OAuth Grant Request -IdP --> Browser: Redirect to Login Page -Browser -> IdP: Login -IdP --> Browser: Generate Consent Screen for Authorization Code flow -Browser -> IdP: Consent +Browser -> IdP: 2. Deliver OAuth Grant Request +IdP --> Browser: 3. Redirect to Login Page +Browser -> IdP: 4. Login +IdP --> Browser: 5. Generate Consent Screen for Authorization Code flow +Browser -> IdP: 6. Consent IdP --> Browser: Generate Authorization Code and redirect to UI -Browser -> UI: Deliver Authorization Code Grant -UI -> IdP: Exchange Authorization Code Grant for Tokens +Browser -> UI: 7. Deliver Authorization Code Grant +UI -> IdP: 8. Exchange Authorization Code Grant for Tokens IdP --> UI: Return `access_token` and `refresh_token` UI --> Browser: Redirect to dashboard Browser -> UI: Get dashboard -UI -> API: Request list of projects and provide Access Token -API -> IdP: Check if token is valid and check declarative policy +UI -> API: 9. Request list of groups and provide Access Token +API -> IdP: 10. Check if token is valid and check declarative policy IdP --> API: Return result of `Ability.allowed?` -API --> UI: Return list of projects as JSON -UI --> Browser: Return list of projects as HTML +API --> UI: Return list of groups as JSON +UI --> Browser: Return list of groups as HTML @enduml ``` 1. `GET http://ui.example.com/oidc/new` -1. `GET http://idp.example.com/oauth/authorize` -1. `GET http://idp.example.com/sessions/new?redirect_back=/oauth/authorize/continue` -1. `POST http://idp.example.com/sessions` -1. `GET http://idp.example.com/oauth/authorize/continue` -1. `POST http://idp.example.com/oauth/authorize` -1. `GET http://ui.example.com/oauth/callback` -1. `POST http://idp.example.com/oauth/token` -1. `GET http://api.example.com/groups.json` -1. `GET grpc://idp.example.com/twirp/authx.rpc.Ability/Allowed` +2. `GET http://idp.example.com/oauth/authorize` +3. `GET http://idp.example.com/sessions/new?redirect_back=/oauth/authorize/continue` +4. `POST http://idp.example.com/sessions` +5. `GET http://idp.example.com/oauth/authorize/continue` +6. `POST http://idp.example.com/oauth/authorize` +7. `GET http://ui.example.com/oauth/callback` +8. `POST http://idp.example.com/oauth/token` +9. `GET http://api.example.com/groups.json` +10. `GET grpc://idp.example.com/twirp/authx.rpc.Ability/Allowed` ### Permissions #### Option 1 |