Skip to content

Commit

Permalink
remove <br> from mermaid charts
Browse files Browse the repository at this point in the history
Signed-off-by: Christian Richter <[email protected]>
  • Loading branch information
dragonchaser committed Jul 25, 2024
1 parent 9685d35 commit 2ff49e3
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 24 deletions.
26 changes: 13 additions & 13 deletions docs/ocis/flow-docs/login-flow.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,35 +26,35 @@ sequenceDiagram
participant ldap as External User Directory

user->>+client: What is the content of my home?
client->>+proxy: PROPFIND <br> no (or expired) auth
Note over client,proxy: ocis needs to know the IdP that is<br>used to authenticate users. The<br>proxy will redirect unauthenticated<br>requests to that IdP.
client->>+proxy: PROPFIND\n no (or expired) auth
Note over client,proxy: ocis needs to know the IdP that is used to authenticate users. The proxy will redirect unauthenticated requests to that IdP.
proxy-->>-client: 401 Unauthorized
client->>+proxy: 1. The client starts a new openIDConnect Flow
Note over client, proxy: GET /.well-known/openid-configuration
proxy-->>-client: Return openidConnect configuration for the IdP
client-->>client: 2. Client prepares an Authentication Request<br>containing the desired request parameters <br> and generates the code challenge (PKCE).
client-->>client: 2. Client prepares an Authentication Request containing the desired request parameters and generates the code challenge (PKCE).
client->>+idp: 3. Client sends the request and the code challenge to the Authorization Server.
Note over client, idp: GET /authorize?<br>flow=oidc&response_type=code<br>&scope=openid%20profile%20email<br>&code_challenge=Y2SGoq9vtAp7YAavTaO0B550H_Rsj9DypiL7xZuFjOE<br>&code_challenge_method=S25&client_id=s6BhdRkqt3<br>&state=af0ifjsldkj<br>&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1<br>Host: server.example.com
Note over client, idp: GET /authorize? flow=oidc&response_type=code &scope=openid%20profile%20email &code_challenge=Y2SGoq9vtAp7YAavTaO0B550H_Rsj9DypiL7xZuFjOE &code_challenge_method=S25&client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: server.example.com
Note over user, idp: 3. Authorization Server Authenticates the End-User.
alt all users managed by idp/ocis idm
idp->>+idm: LDAP query/bind
idm-->>-idp: LDAP result
Note over idp,ldap: In case users are managed<br>in an external ldap they have to be<br> autoprovisioned in the ocis IdM<br> when they are loggin in.
Note over idp,ldap: In case users are managed in an external ldap they have to be autoprovisioned in the ocis IdM when they are loggin in.
else all users authenticated by an external idp
idp->>+ldap: Lookup of the user in the directory
ldap-->>-idp: Lookup result
end
idp-->>-user: Idp presents the user an authentication prompt.
user->>+idp: 5. User authenticates and gives consent.
idp-->>-client: 6. Authorization Server sends the End-User back<br>to the Client with an Authorization Code.
Note over client, idp: HTTP/1.1 302 Found<br>Location: https://client.example.org/cb?<br>code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
client->>+idp: 7. Client requests a response using the<br>Authorization Code and the code verifier at the Token Endpoint.
Note over client, idp: POST /token HTTP/1.1<br>Host: server.example.com<br>Content-Type: application/x-www-form-urlencoded<br>grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA<br>&redirect_uri=https%3A%2F%2Fclient.example.org<br>&code_verifier=a98ccbe253754259963e6e2b67b5a044929446d7a15046cc8e3194022ad061d9d667dce91876418d9e6fe9f54819332e
idp-->>-client: 6. Authorization Server sends the End-User back to the Client with an Authorization Code.
Note over client, idp: HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
client->>+idp: 7. Client requests a response using the Authorization Code and the code verifier at the Token Endpoint.
Note over client, idp: POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org &code_verifier=a98ccbe253754259963e6e2b67b5a044929446d7a15046cc8e3194022ad061d9d667dce91876418d9e6fe9f54819332e
idp->>+idp: 8. IdP checks the code verifier (PKCE)
idp-->>-client: 9. Client receives a response that contains an<br>ID Token and Access Token in the response body. <br>If offline access is requested, the client also receives a refresh token.
Note over client, idp: HTTP/1.1 200 OK<br>Content-Type: application/json<br>Cache-Control: no-store<br>Pragma: no-cache<br>{<br>"access_token": "SlAV32hkKG",<br>"token_type": "Bearer",<br>"refresh_token": "8xLOxBtZp8",<br>"expires_in": 3600,<br>"id_token": "a ... b.c ... d.e ... f" // must be a JWT<br>}
client-->>client: 10. Client validates the ID token and<br>retrieves the End-User's Subject Identifier.
client->>+proxy: PROPFIND <br> With access token
idp-->>-client: 9. Client receives a response that contains an ID Token and Access Token in the response body. If offline access is requested, the client also receives a refresh token.
Note over client, idp: HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "a ... b.c ... d.e ... f" // must be a JWT }
client-->>client: 10. Client validates the ID token and retrieves the End-User's Subject Identifier.
client->>+proxy: PROPFIND With access token
proxy-->>-client: 207 Multi-Status
client-->>-user: List of Files X, Y, Z ...
{{< /mermaid >}}
22 changes: 11 additions & 11 deletions docs/ocis/flow-docs/request-flow.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ sequenceDiagram

user->>+client: What is the content of my home?

client->>+proxy: PROPFIND <br> Bearer auth using oidc auth token
Note over client,proxy: What is in a bearer token? <br> The spec recommends opaque tokens. <br> Treat it as random byte noise.
Note over client,proxy: the proxy MUST authenticate users <br> using ocis-accounts because it needs <br> to decide where to send the request
client->>+proxy: PROPFIND Bearer auth using oidc auth token
Note over client,proxy: What is in a bearer token? The spec recommends opaque tokens. Treat it as random byte noise.
Note over client,proxy: the proxy MUST authenticate users using ocis-accounts because it needs to decide where to send the request
%% Mention introspection endpoint for opaque tokens
%% idp uses jwt, so we can save a request
%% either way the token can be used to look up the sub and iss of the user
Expand All @@ -36,16 +36,16 @@ sequenceDiagram
alt userinfo succeeds

idp-->>proxy: 200 OK
Note over proxy,accounts: Content-Type: application/json<br>{<br>"sub": "248289761001",<br>"name": "Jane Doe",<br>"given_name": "Jane",<br>"family_name": "Doe",<br>"preferred_username": "j.doe",<br>"email": "[email protected]",<br>"picture": "http://example.com/janedoe/me.jpg"<br>}
Note over proxy,accounts: Content-Type: application/json{"sub": "248289761001","name": "Jane Doe","given_name": "Jane","family_name": "Doe","preferred_username": "j.doe","email": "[email protected]","picture": "http://example.com/janedoe/me.jpg"}
%% see: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

else userinfo fails

idp-->>-proxy: 401 Unauthorized
Note over proxy,accounts: WWW-Authenticate: error="invalid_token",<br>error_description="The Access Token expired"
Note over proxy,accounts: WWW-Authenticate: error="invalid_token",error_description="The Access Token expired"

proxy-->>client: 401 Unauthorized or <br>302 Found with redirect to idp
Note over client: start at login flow<br> or refresh the token
proxy-->>client: 401 Unauthorized or 302 Found with redirect to idp
Note over client: start at login flow or refresh the token

end

Expand All @@ -71,24 +71,24 @@ sequenceDiagram
end
end

Note over proxy,accounts: provision a new account including displayname, email and sub@iss <br> TODO only if the user is allowed to login, based on group <br> membership in the ldap server
Note over proxy,accounts: provision a new account including displayname, email and sub@iss TODO only if the user is allowed to login, based on group membership in the ldap server
proxy->>proxy: generate new uuid
proxy->>+accounts: TODO create account with new generated uuid
accounts-->>-proxy: OK / error

else account has been disabled

accounts-->>-proxy: account is disabled
proxy-->>client: 401 Unauthorized or <br>302 Found with redirect to idp
Note over client: start at login flow<br> or refresh the token
proxy-->>client: 401 Unauthorized or 302 Found with redirect to idp
Note over client: start at login flow or refresh the token

end
proxy->>proxy: store uuid in context

%% what if oc10 does not support a certain request / API

proxy->>proxy: mint an internal jwt that includes the UUID and username using revas `x-access-token` header
proxy->>+reva: PROPFIND <br>Token auth using internal JWT
proxy->>+reva: PROPFIND Token auth using internal JWT
reva-->>-proxy: Multistatus response
proxy-->>-client: Multistatus response

Expand Down

0 comments on commit 2ff49e3

Please sign in to comment.