SSO with OpenID Connect and OAuth 2.0

sso-openid-connect-oauth2.puml

@startuml SSO with OpenID Connect and OAuth 2.0
title SSO with OpenID Connect and OAuth 2.0

actor User as user
participant "Client App" as client_app
participant "Client Backend" as client_back
participant "Authorization Page" as auth_front
participant "Authorization Server" as auth_back
participant "Resource Server" as res_back

user -> client_app: Login with S ID
activate client_app
client_app -> client_app: Generate code_verifier (for PKCE)
client_app -> client_app: Issues code_challenge \nby hashing code_verifier \nwith code_challenge_method (e.g. SHA256)

group Client-specific
    client_app -> client_back: Require SSO url

    activate client_back
    client_back --> client_app: Return SSO url (with client id & redirect uri)
    deactivate client_back
end

client_app -> auth_front: Open S ID webview \n(response_type=code, client id, \ncode_verifier, code_challenge_method, \nscope, redirect uri)
deactivate client_app

activate auth_front
auth_front -> auth_back: Check if user is signed in

opt User is NOT signed in
    auth_front -> user: Require login
    activate user

    user --> auth_front: Input login
    deactivate user

    auth_front -> auth_back: Send login
    auth_front -> user: Require password

    activate user
    user --> auth_front: Input password
    deactivate user

    auth_front -> auth_back: Send password
    deactivate auth_front

    activate auth_back
    auth_back -> auth_back: Validate password

    break Password didn't match
        auth_back --> auth_front: Return error
        deactivate auth_back

        activate auth_front
        auth_front --> client_app: Redirect back with error
        deactivate auth_front

        activate client_app

        group Client-specific
            client_app --> user: Display error
            deactivate client_app
        end
    end

    note left of user: Probably occur \nother checks
end

auth_front <-> auth_back: Check if client id is valid

activate auth_front
auth_front -> user: Require consent
activate user

deactivate auth_front
user --> auth_front: Provide decision
deactivate user

activate auth_front
auth_front -> auth_back: Provide decision
deactivate auth_front

activate auth_back

opt User rejected authorization request
    auth_back --> auth_front: Return authorization rejection

    activate auth_front
    auth_front --> client_app: Redirect with authorization rejection
    deactivate auth_front

    activate client_app

    group Client-specific
        client_app --> user: Display error
        deactivate client_app
    end
end

auth_back -> auth_back: Generate and save Authorization code
auth_back --> auth_front: Return Authorization code
deactivate auth_back

activate auth_front
auth_front --> client_app: Redirect back with Authorization code
deactivate auth_front

activate client_app
client_app -> client_back: Require authentication
deactivate client_app

activate client_back
client_back -> auth_back: Require tokens \n(grant_type=authorization_code, \nclient id, client secret, redirect uri, \nauthorizationc code, code_challange)
deactivate client_back

activate auth_back
auth_back -> auth_back: Verify client's data and code_verifier+code_challange
auth_back -> auth_back: Generate Access token & ID token
auth_back --> client_back: Return Access token & ID token \n(jwt with at least user id)
deactivate auth_back

activate client_back
client_back -> res_back: Require user data (Access token & ID token)
deactivate client_back

activate res_back
res_back -> res_back: Verify Access token
res_back --> client_back: Return user data by user id from ID token \n(login, profile, etc)
deactivate res_back

group Client-specific
    activate client_back
    client_back --> client_app: Return session
    deactivate client_back

    activate client_app
    client_app --> user: Open app with successful log in
    deactivate client_app
end

@enduml