-
Notifications
You must be signed in to change notification settings - Fork 187
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Christian Richter <[email protected]>
- Loading branch information
1 parent
9685d35
commit 2ff49e3
Showing
2 changed files
with
24 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,9 +24,9 @@ sequenceDiagram | |
|
||
user->>+client: What is the content of my home? | ||
|
||
client->>+proxy: PROPFIND <br> Bearer auth using oidc auth token | ||
Note over client,proxy: What is in a bearer token? <br> The spec recommends opaque tokens. <br> Treat it as random byte noise. | ||
Note over client,proxy: the proxy MUST authenticate users <br> using ocis-accounts because it needs <br> to decide where to send the request | ||
client->>+proxy: PROPFIND Bearer auth using oidc auth token | ||
Note over client,proxy: What is in a bearer token? The spec recommends opaque tokens. Treat it as random byte noise. | ||
Note over client,proxy: the proxy MUST authenticate users using ocis-accounts because it needs to decide where to send the request | ||
%% Mention introspection endpoint for opaque tokens | ||
%% idp uses jwt, so we can save a request | ||
%% either way the token can be used to look up the sub and iss of the user | ||
|
@@ -36,16 +36,16 @@ sequenceDiagram | |
alt userinfo succeeds | ||
|
||
idp-->>proxy: 200 OK | ||
Note over proxy,accounts: Content-Type: application/json<br>{<br>"sub": "248289761001",<br>"name": "Jane Doe",<br>"given_name": "Jane",<br>"family_name": "Doe",<br>"preferred_username": "j.doe",<br>"email": "[email protected]",<br>"picture": "http://example.com/janedoe/me.jpg"<br>} | ||
Note over proxy,accounts: Content-Type: application/json{"sub": "248289761001","name": "Jane Doe","given_name": "Jane","family_name": "Doe","preferred_username": "j.doe","email": "[email protected]","picture": "http://example.com/janedoe/me.jpg"} | ||
%% see: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse | ||
|
||
else userinfo fails | ||
|
||
idp-->>-proxy: 401 Unauthorized | ||
Note over proxy,accounts: WWW-Authenticate: error="invalid_token",<br>error_description="The Access Token expired" | ||
Note over proxy,accounts: WWW-Authenticate: error="invalid_token",error_description="The Access Token expired" | ||
|
||
proxy-->>client: 401 Unauthorized or <br>302 Found with redirect to idp | ||
Note over client: start at login flow<br> or refresh the token | ||
proxy-->>client: 401 Unauthorized or 302 Found with redirect to idp | ||
Note over client: start at login flow or refresh the token | ||
|
||
end | ||
|
||
|
@@ -71,24 +71,24 @@ sequenceDiagram | |
end | ||
end | ||
|
||
Note over proxy,accounts: provision a new account including displayname, email and sub@iss <br> TODO only if the user is allowed to login, based on group <br> membership in the ldap server | ||
Note over proxy,accounts: provision a new account including displayname, email and sub@iss TODO only if the user is allowed to login, based on group membership in the ldap server | ||
proxy->>proxy: generate new uuid | ||
proxy->>+accounts: TODO create account with new generated uuid | ||
accounts-->>-proxy: OK / error | ||
|
||
else account has been disabled | ||
|
||
accounts-->>-proxy: account is disabled | ||
proxy-->>client: 401 Unauthorized or <br>302 Found with redirect to idp | ||
Note over client: start at login flow<br> or refresh the token | ||
proxy-->>client: 401 Unauthorized or 302 Found with redirect to idp | ||
Note over client: start at login flow or refresh the token | ||
|
||
end | ||
proxy->>proxy: store uuid in context | ||
|
||
%% what if oc10 does not support a certain request / API | ||
|
||
proxy->>proxy: mint an internal jwt that includes the UUID and username using revas `x-access-token` header | ||
proxy->>+reva: PROPFIND <br>Token auth using internal JWT | ||
proxy->>+reva: PROPFIND Token auth using internal JWT | ||
reva-->>-proxy: Multistatus response | ||
proxy-->>-client: Multistatus response | ||
|
||
|