Merge pull request #8600 from owncloud/improve-login-flow

[docs-only] Simplify login-flow and add PKCE
owncloud · Mar 7, 2024 · 3b3b174 · 3b3b174
1 parent 08478b7
commit 3b3b174
Show file tree

Hide file tree

Showing 86 changed files with 162 additions and 187 deletions.
diff --git a/apis/grpc_apis/ocis/messages/eventhistory/v0/grpc.md b/apis/grpc_apis/ocis/messages/eventhistory/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.eventhistory.v0"
 url: /apis/grpc_apis/ocis_messages_eventhistory_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/messages/policies/v0/grpc.md b/apis/grpc_apis/ocis/messages/policies/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.policies.v0"
 url: /apis/grpc_apis/ocis_messages_policies_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/messages/search/v0/grpc.md b/apis/grpc_apis/ocis/messages/search/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.search.v0"
 url: /apis/grpc_apis/ocis_messages_search_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/messages/settings/v0/grpc.md b/apis/grpc_apis/ocis/messages/settings/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.settings.v0"
 url: /apis/grpc_apis/ocis_messages_settings_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/messages/store/v0/grpc.md b/apis/grpc_apis/ocis/messages/store/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.store.v0"
 url: /apis/grpc_apis/ocis_messages_store_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/messages/thumbnails/v0/grpc.md b/apis/grpc_apis/ocis/messages/thumbnails/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.thumbnails.v0"
 url: /apis/grpc_apis/ocis_messages_thumbnails_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/services/eventhistory/v0/grpc.md b/apis/grpc_apis/ocis/services/eventhistory/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.eventhistory.v0"
 url: /apis/grpc_apis/ocis_services_eventhistory_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/services/policies/v0/grpc.md b/apis/grpc_apis/ocis/services/policies/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.policies.v0"
 url: /apis/grpc_apis/ocis_services_policies_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/services/search/v0/grpc.md b/apis/grpc_apis/ocis/services/search/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.search.v0"
 url: /apis/grpc_apis/ocis_services_search_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/services/settings/v0/grpc.md b/apis/grpc_apis/ocis/services/settings/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.settings.v0"
 url: /apis/grpc_apis/ocis_services_settings_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/services/store/v0/grpc.md b/apis/grpc_apis/ocis/services/store/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.store.v0"
 url: /apis/grpc_apis/ocis_services_store_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/apis/grpc_apis/ocis/services/thumbnails/v0/grpc.md b/apis/grpc_apis/ocis/services/thumbnails/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.thumbnails.v0"
 url: /apis/grpc_apis/ocis_services_thumbnails_v0
-date: 2024-03-07T08:06:41Z
+date: 2024-03-07T10:21:33Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/ocis/flow-docs/login-flow.md b/ocis/flow-docs/login-flow.md
@@ -22,63 +22,38 @@ sequenceDiagram
     participant client as Client
     participant proxy as ocis-proxy
     participant idp as IdP
-    participant glauth as ocis-glauth
-    participant graph as ocis-graph
-    participant accounts as ocis-accounts
-    participant ldap as external LDAP server
+    participant idm as LibreIDM
+    participant ldap as External User Directory
 
     user->>+client: What is the content of my home?
-
         client->>+proxy: PROPFIND <br> no (or expired) auth
         Note over client,proxy: ocis needs to know the IdP that is<br>used to authenticate users. The<br>proxy will redirect unauthenticated<br>requests to that IdP.
-        proxy-->>-client: 302 Found
-        Note over client, idp: HTTP/1.1 302 Found<br>Location: https://server.example.com/authorize?<br>response_type=code&<br>scope=openid%20profile%20email<br>&client_id=s6BhdRkqt3<br>&state=af0ifjsldkj<br>&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
-
-        Note over client, idp: We should follow the OpenID Connect Discovery protocol
-        Note over client, idp: Clients might fall back to the ocis server if the discovery failed.<br>We can provide a webfinger endpoint there to let guests use an idp<br>that is backed by the accounts service.
-        Note over client, idp: For now, clients can only handle one IdP, which is configured in ocis.
-
-        client-->>client: 1. Client prepares an Authentication Request<br>containing the desired request parameters.
-
-        client->>+idp: 2. Client sends the request to the Authorization Server.
-        Note over client, idp: GET /authorize?<br>response_type=code<br>&scope=openid%20profile%20email<br>&client_id=s6BhdRkqt3<br>&state=af0ifjsldkj<br>&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1<br>Host: server.example.com
+        proxy-->>-client: 401 Unauthorized
+        client->>+proxy: 1. The client starts a new openIDConnect Flow
+        Note over client, proxy: GET /.well-known/openid-configuration
+        proxy-->>-client: Return openidConnect configuration for the IdP
+        client-->>client: 2. Client prepares an Authentication Request<br>containing the desired request parameters <br> and generates the code challenge (PKCE).
+        client->>+idp: 3. Client sends the request and the code challenge to the Authorization Server.
+        Note over client, idp: GET /authorize?<br>flow=oidc&response_type=code<br>&scope=openid%20profile%20email<br>&code_challenge=Y2SGoq9vtAp7YAavTaO0B550H_Rsj9DypiL7xZuFjOE<br>&code_challenge_method=S25&client_id=s6BhdRkqt3<br>&state=af0ifjsldkj<br>&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1<br>Host: server.example.com
         Note over user, idp: 3. Authorization Server Authenticates the End-User.
-        Note over idp,ldap: Either an IdP already exists or a new one is introduced. Since we are not yet using oidc discovery we can only use one IdP.
-        alt all users managed by idp/ocis
-            idp->>+glauth: LDAP query/bind
-            glauth->>+graph: GET user with Basic Auth<br>GraphAPI
-            graph->>+accounts: internal GRPC
-            accounts-->>-graph: response
-            graph-->>-glauth: OData response
-            glauth-->>-idp: LDAP result
-            Note over accounts,ldap: In case internal users are managed<br>in an external ldap they have to be<br>synced to the accounts service to<br>show up as recipients during sharing.
+        alt all users managed by idp/ocis idm
+            idp->>+idm: LDAP query/bind
+            idm-->>-idp: LDAP result
+            Note over idp,ldap: In case  users are managed<br>in an external ldap they have to be<br> autoprovisioned in the ocis IdM<br> when they are loggin in.
         else all users authenticated by an external idp
-            idp->>+ldap: LDAP query/bind
-            ldap-->>-idp: LDAP result
-            alt guest accounts managed in ocis / lookup using glauth proxy:
-                Note over idp,glauth: Idp is configured to use glauth as a<br>second ldap server.
-                idp->>+glauth: LDAP query/bind
-                glauth->>+graph: GET user with Basic Auth<br>GraphAPI
-                graph->>+accounts: internal GRPC
-                accounts-->>-graph: response
-                graph-->>-glauth: OData response
-                glauth-->>-idp: LDAP result
-            else guest account provisioned by other means
-                Note over accounts, ldap: In case guest accounts are managed<br>in an existing ldap they need to be<br>synced to the accounts service to<br>be able to login and show up as<br>recipients during sharing.
-            end
+            idp->>+ldap: Lookup of the user in the directory
+            ldap-->>-idp: Lookup result
         end
-        Note over user, idp: 4. Authorization Server obtains End-User Consent/Authorization.
-        idp-->>-client: 5. Authorization Server sends the End-User back<br>to the Client with an Authorization Code.
+        idp-->>-user: Idp presents the user an authentication prompt.
+        user->>+idp: 5. User authenticates and gives consent.
+        idp-->>-client: 6. Authorization Server sends the End-User back<br>to the Client with an Authorization Code.
         Note over client, idp: HTTP/1.1 302 Found<br>Location: https://client.example.org/cb?<br>code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
-
-        client->>+idp: 6. Client requests a response using the<br>Authorization Code at the Token Endpoint.
-        Note over client, idp: POST /token HTTP/1.1<br>Host: server.example.com<br>Content-Type: application/x-www-form-urlencoded<br>grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA<br>&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
-        idp-->>-client: 7. Client receives a response that contains an<br>ID Token and Access Token in the response body.
+        client->>+idp: 7. Client requests a response using the<br>Authorization Code and the code verifier at the Token Endpoint.
+        Note over client, idp: POST /token HTTP/1.1<br>Host: server.example.com<br>Content-Type: application/x-www-form-urlencoded<br>grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA<br>&redirect_uri=https%3A%2F%2Fclient.example.org<br>&code_verifier=a98ccbe253754259963e6e2b67b5a044929446d7a15046cc8e3194022ad061d9d667dce91876418d9e6fe9f54819332e
+        idp->>+idp: 8. IdP checks the code verifier (PKCE)
+        idp-->>-client: 9. Client receives a response that contains an<br>ID Token and Access Token in the response body. <br>If offline access is requested, the client also receives a refresh token.
         Note over client, idp:  HTTP/1.1 200 OK<br>Content-Type: application/json<br>Cache-Control: no-store<br>Pragma: no-cache<br>{<br>"access_token": "SlAV32hkKG",<br>"token_type": "Bearer",<br>"refresh_token": "8xLOxBtZp8",<br>"expires_in": 3600,<br>"id_token": "a ... b.c ... d.e ... f" // must be a JWT<br>}
-
-
-        client-->>client: 8. Client validates the ID token and<br>retrieves the End-User's Subject Identifier.
-
+        client-->>client: 10. Client validates the ID token and<br>retrieves the End-User's Subject Identifier.
         client->>+proxy: PROPFIND <br> With access token
         proxy-->>-client: 207 Multi-Status
     client-->>-user: List of Files X, Y, Z ...

diff --git a/services/_includes/adoc/antivirus_configvars.adoc b/services/_includes/adoc/antivirus_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the antivirus service
 [width="100%",cols="~,~,~,~",options="header"]
@@ -245,7 +245,7 @@ a| [subs=-attributes]
 The socket clamav is running on. Note the default value is an example which needs adaption according your OS.
 
 a|`ANTIVIRUS_ICAP_TIMEOUT` +
-xref:deprecation-note-2024-03-07-08-06-59[Deprecation Note]
+xref:deprecation-note-2024-03-07-10-21-53[Deprecation Note]
 a| [subs=-attributes]
 ++int64 ++
 a| [subs=-attributes]

diff --git a/services/_includes/adoc/app-provider_configvars.adoc b/services/_includes/adoc/app-provider_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the app-provider service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/app-registry_configvars.adoc b/services/_includes/adoc/app-registry_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the app-registry service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/audit_configvars.adoc b/services/_includes/adoc/audit_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the audit service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/auth-basic_configvars.adoc b/services/_includes/adoc/auth-basic_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the auth-basic service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/auth-bearer_configvars.adoc b/services/_includes/adoc/auth-bearer_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the auth-bearer service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/auth-machine_configvars.adoc b/services/_includes/adoc/auth-machine_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the auth-machine service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/auth-service_configvars.adoc b/services/_includes/adoc/auth-service_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the auth-service service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/clientlog_configvars.adoc b/services/_includes/adoc/clientlog_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the clientlog service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/eventhistory_configvars.adoc b/services/_includes/adoc/eventhistory_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the eventhistory service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/frontend_configvars.adoc b/services/_includes/adoc/frontend_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the frontend service
 [width="100%",cols="~,~,~,~",options="header"]

diff --git a/services/_includes/adoc/gateway_configvars.adoc b/services/_includes/adoc/gateway_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2024-03-07-08-06-59]
+[#deprecation-note-2024-03-07-10-21-53]
 [caption=]
 .Deprecation notes for the gateway service
 [width="100%",cols="~,~,~,~",options="header"]