diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/share/authz/DESIGN.md | 42 |
1 files changed, 21 insertions, 21 deletions
diff --git a/doc/share/authz/DESIGN.md b/doc/share/authz/DESIGN.md index 2ec7807f..51129a1c 100644 --- a/doc/share/authz/DESIGN.md +++ b/doc/share/authz/DESIGN.md @@ -102,39 +102,39 @@ OIDC Login Flow ```plantuml @startuml -Browser -> UI: Get dashboard +Browser -> UI: 1. Get dashboard UI --> Browser: Generate OAuth Grant Request and redirect to IdP -Browser -> IdP: Deliver OAuth Grant Request -IdP --> Browser: Redirect to Login Page -Browser -> IdP: Login -IdP --> Browser: Generate Consent Screen for Authorization Code flow -Browser -> IdP: Consent +Browser -> IdP: 2. Deliver OAuth Grant Request +IdP --> Browser: 3. Redirect to Login Page +Browser -> IdP: 4. Login +IdP --> Browser: 5. Generate Consent Screen for Authorization Code flow +Browser -> IdP: 6. Consent IdP --> Browser: Generate Authorization Code and redirect to UI -Browser -> UI: Deliver Authorization Code Grant -UI -> IdP: Exchange Authorization Code Grant for Tokens +Browser -> UI: 7. Deliver Authorization Code Grant +UI -> IdP: 8. Exchange Authorization Code Grant for Tokens IdP --> UI: Return `access_token` and `refresh_token` UI --> Browser: Redirect to dashboard Browser -> UI: Get dashboard -UI -> API: Request list of projects and provide Access Token -API -> IdP: Check if token is valid and check declarative policy +UI -> API: 9. Request list of groups and provide Access Token +API -> IdP: 10. Check if token is valid and check declarative policy IdP --> API: Return result of `Ability.allowed?` -API --> UI: Return list of projects as JSON -UI --> Browser: Return list of projects as HTML +API --> UI: Return list of groups as JSON +UI --> Browser: Return list of groups as HTML @enduml ``` 1. `GET http://ui.example.com/oidc/new` -1. `GET http://idp.example.com/oauth/authorize` -1. `GET http://idp.example.com/sessions/new?redirect_back=/oauth/authorize/continue` -1. `POST http://idp.example.com/sessions` -1. `GET http://idp.example.com/oauth/authorize/continue` -1. `POST http://idp.example.com/oauth/authorize` -1. `GET http://ui.example.com/oauth/callback` -1. `POST http://idp.example.com/oauth/token` -1. `GET http://api.example.com/groups.json` -1. `GET grpc://idp.example.com/twirp/authx.rpc.Ability/Allowed` +2. `GET http://idp.example.com/oauth/authorize` +3. `GET http://idp.example.com/sessions/new?redirect_back=/oauth/authorize/continue` +4. `POST http://idp.example.com/sessions` +5. `GET http://idp.example.com/oauth/authorize/continue` +6. `POST http://idp.example.com/oauth/authorize` +7. `GET http://ui.example.com/oauth/callback` +8. `POST http://idp.example.com/oauth/token` +9. `GET http://api.example.com/groups.json` +10. `GET grpc://idp.example.com/twirp/authx.rpc.Ability/Allowed` ### Permissions #### Option 1 |