-
Notifications
You must be signed in to change notification settings - Fork 160
/
sequence-identity-facade-v1.txt
187 lines (176 loc) · 5.71 KB
/
sequence-identity-facade-v1.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
@startuml
title "Identity facade with Apigee"
actor User as u
boundary "User Agent" as ua
entity "Client App" as b
box "Apigee API Platform" #LightBlue
entity "Identity Facade" as id
entity "Data Proxy" as nerp
end box
entity IdP as idp
participant "Backend" as backend
u -> b: User interaction
b -> b: App activity
b -> nerp: GET /protected\n(Authorization: Bearer <access_token>)
activate nerp
nerp -> nerp: verify access token
activate nerp
deactivate nerp
nerp -> b: status code: 401\n("error": "invalid_grant")
deactivate nerp
note over u,idp: Initiate Auth Sequence
b -> id: GET /authorize\n(client_id, state(1), redirect_uri, response_type [code|token], scope, <font color=blue>code_challenge, code_challenge_method</font>)
activate id
id -> id: validate client_id,\nredirect_uri
activate id
deactivate id
id -> id: control presence of state, scope <font color=blue>and code_challenge</font>
activate id
deactivate id
id -> id: <font color=blue>control value of code_challenge_method (S256)</font> and response_type (code|token)
activate id
deactivate id
id -> id: retrieve IdP client_id + IdP connection parameters\nfrom KVM (or PropertySet or Secret)
activate id
deactivate id
id -> id: generate state(2)
activate id
deactivate id
id --> ua: 302 -> /authorize\n(client_id [idp_client_id], state(2),\nredirect_uri [apigee_callback],\nresponse_type [code|token],\nscope)
deactivate id
note over u,idp: User Authentication
ua -> idp: GET /authorize\n(client_id [idp_client_id], state(2),\nredirect_uri [apigee_callback],\nresponse_type [code|token],\nscope)
idp -> ua: login form
u -> idp: credentials
idp -> ua: consent form
u -> idp: allow|reject
opt MFA
idp->u: challenge
u->idp: challenge response
end
idp --> ua: 302 -> /callback\n(code [idp authorization code], state(2))
note over u,idp: Token Issuance
ua -> id: GET /callback\n(code [idp authorization code], state(2))
activate id
id -> id: control presence of state and code
activate id
deactivate id
id -> id: extract params from state(2)
activate id
deactivate id
id -> id: import external authorization code
activate id
deactivate id
id --> b: 302 /callback [using redirect_uri]\n(code, state(1))
deactivate id
note over b,idp: response_type=code (i.e. auth code grant type)
b ->> id: POST /token\n(code,\nclient credentials,\ngrant_type [authorization_code],\nredirect_uri,\n<font color=blue>code_verifier</font>)
activate id
id -> id: validate client credentials, redirect_uri, grant_type
activate id
deactivate id
id -> id: <font color=blue>verify pkce code_verifier: base64url(sha256(code_verifier)) == code_challenge</font>
activate id
deactivate id
id -> id: control presence and value of authorization code
activate id
deactivate id
id -> id: retrieve IdP client\ncredentials + IdP connection parameters from KVM (or PropertySet or Secret)
activate id
deactivate id
id -> idp: POST /token\n(w/ IdP client credentials, code)
activate id
idp -> id: access_token, refresh_token,\nid_token, expires_in
deactivate id
id -> idp: GET /certs\n(JWKS keys)
activate id
idp -> id: return latest JWKS keys
deactivate id
id -> id: cache JWKS keys
activate id
deactivate id
id -> id: validate id_token (JWT validation + JWKS)
activate id
deactivate id
id -> id: generate new access and refresh token using expires_in\n(attach IdP tokens as custom attributes)
activate id
deactivate id
opt
id -> id: generate new id_token,\nsign using Apigee private key,\nput Apigee access token in JWT
activate id
deactivate id
end
id -> b: 200 OK \n(apigee_tokens, state(1))
deactivate id
note over u,backend: token use
u -> b: User interaction
b -> b: App activity
b ->> nerp: GET /protected\n(Authorization: Bearer <access_token>)
activate nerp
nerp -> nerp: verify access token
activate nerp
deactivate nerp
nerp -> nerp: extract id_token/user info
activate nerp
deactivate nerp
nerp -> nerp: request processing
activate nerp
deactivate nerp
nerp -> backend: id_token/user info transmitted
activate nerp
backend -> backend: validate id_token \n+ fine grained \nauthorization (user)\n+ execute business logic
backend -> nerp: 200 OK
deactivate nerp
nerp -> nerp: response processing
activate nerp
deactivate nerp
nerp -> b: 200 OK
deactivate nerp
note over u,backend: refresh token use
opt Refresh Token
u -> b: User interaction
b -> b: App activity
b -> nerp: GET /protected\n(Authorization: Bearer <access_token>)
activate nerp
nerp -> nerp: verify access token
activate nerp
deactivate nerp
nerp -> b: status code: 401\n("error": "access_token_expired")
deactivate nerp
b ->> id: POST /token\n(refresh_token,\nclient credentials,\ngrant_type [refresh_token],\nredirect_uri)
activate id
id -> id: validate client credentials, redirect_uri, grant_type
activate id
deactivate id
id -> id: control presence and value of refresh token
activate id
deactivate id
id -> id: retrieve IdP client\ncredentials + IdP connection parameters from KVM (or PropertySet or Secret)
activate id
deactivate id
id -> idp: POST /token\n(w/ IdP client credentials, refresh_token)
activate id
idp -> id: access_token, refresh_token,\nid_token, expires_in
deactivate id
id -> idp: GET /certs\n(JWKS keys)
activate id
idp -> id: return latest JWKS keys
deactivate id
id -> id: cache JWKS keys
activate id
deactivate id
id -> id: validate id_token (JWT validation + JWKS)
activate id
deactivate id
id -> id: generate new access and refresh token using expires_in\n(attach IdP tokens as custom attributes)
activate id
deactivate id
opt
id -> id: generate new id_token,\nsign using Apigee private key,\nput Apigee access token in JWT
activate id
deactivate id
end
id -> b: 200 OK \n(apigee_tokens, state(1))
deactivate id
end
@enduml