C4Context
Person(usuario, "User", "Doctors and Employees")
Person_Ext(paciente, "Patient", "Clinics patient")
System(sistemas, Sistemas, "Feegow systems")
System_Ext(externo, "External Providers", "Other identity providers or social networks")
Boundary(sso, "Feegow Single Sign-On Service - SSO") {
Container(oidc, "OIDC Service", "", "OpenID and Single Sign-On server")
Container(auth, "Authorization Service", "", "Authorize and Manage Roles and Permissions")
Container(social, "Identity Providers Broker", "", "Social Login, OpenID Connect or SAML")
Container(adminconsole, "Admin Console and API", "", "Identity and Access Management")
ContainerDb(bd, "Auth Database", "", "MySQL Storage for user identities")
Rel(usuario, oidc, "Log in to the Feegow realm")
UpdateRelStyle(usuario, oidc, $offsetY="-40", $offsetX="-80")
Rel(paciente, oidc, "Log in to Private realms")
UpdateRelStyle(paciente, oidc, $offsetY="-40", $offsetX="80")
Rel(sistemas, auth, "Request authorization")
UpdateRelStyle(sistemas, auth, $offsetY="-40", $offsetX="60")
Rel(sistemas, adminconsole, "Consumes")
UpdateRelStyle(sistemas, adminconsole, $offsetY="-70", $offsetX="-90")
BiRel(social, externo, "Authenticate")
UpdateRelStyle(social, externo, $offsetY="-20", $offsetX="0")
}
Last active
June 12, 2024 13:34
-
-
Save douglasgsouza/064c175445c13dd79264c499eb9a6c70 to your computer and use it in GitHub Desktop.
Feegow SSO Authentication
sequenceDiagram
actor User
User->>+Feegow: Login with email and password
activate Database
Feegow->>Database: Valid email and password?
Database->>Feegow: Authenticated user (opens the session)
activate SSO Server
Feegow->>SSO Server: Request user access tokens
Note right of SSO Server: OAuth grant type: password
SSO Server->>Feegow: Return Access Token and Refresh Token
Feegow->>User: Authenticated user
Feegow-->>SSO Server: XHR request opening a Single Sign-On session on the frontend.
deactivate Feegow
deactivate SSO Server
(com migração automática do usuário)
sequenceDiagram
actor User
User->>Feegow: Login with email and password
activate Feegow
activate Database
Feegow->>Database: Valid email and password?
Database->>Feegow: Authenticated user (opens the session)
activate SSO Server
Feegow->>SSO Server: Request the client token for Feegow client
Note right of SSO Server: OAuth grant type: client_credentials
SSO Server->>Feegow: Returns the client's token
Feegow->>SSO Server: Register the user with the entered password
SSO Server->>Feegow: Returns the SSO user ID
Feegow->>Database: Save the user ID (AuthIdentityID field)
deactivate Database
Feegow->>SSO Server: Register a group for the user license
SSO Server->>Feegow: Returns the SSO group ID
Feegow->>SSO Server: Associate the user with the license group
Feegow->>SSO Server: Request user access tokens
Note right of SSO Server: OAuth grant type: password
SSO Server->>Feegow: Returns user Access Token and Refresh Token
Feegow->>User: User authenticated
Feegow-->>SSO Server: Frontend makes an XHR request by opening a Single Sign-On session.
deactivate Feegow
deactivate SSO Server
sequenceDiagram
actor U as Collaborator (browser)
participant A as Feegow Admin
participant S as SSO Server
participant F as Feegow
U->>A: Request Access to a License
activate A
A->>A: Retrieves License Master user
A->>S: Request Feegow Admin client token
activate S
Note right of S: OAuth grant type: client_credentials
S->>A: Returns the client's token
A->>S: Fetch the requested user ID
S->>A: Returns User ID
deactivate S
A->>U: Returns the impersonation request parameters
deactivate A
activate U
U-->>S: Makes a request for impersonation of the requested user
S-->>U: Returns Cookies required for Single Sign-On login
Note right of U: User authenticated in SSO
U-->>F: Redirects to Feegow with URL /main/oauth/?impersonation=1
deactivate U
activate F
rect rgba(0, 0, 255, .1)
Note over S,F: Runs the OAuth2 Authorization Code Flow
F-->>S: Redirects requesting an authorization code
activate S
S-->>F: Returns an authorization code
F->>S: Request an access token with authorization code
S->>F: Returns an access token
deactivate S
F->>F: Run the LoginPadrao flow
end
F->>U: User authenticated in Feegow
deactivate F
sequenceDiagram
actor U as User (browser)
participant A as Application
participant S as SSO Server
U->>A: Access the application
activate A
A-->>S: Redirects requesting an authorization code
activate S
U->>S: Inform the user and password
S-->>S: Validate and Authorize access
S->>A: Redirects returning an authorization code
A->>S: Request an access token with authorization code
S->>A: Returns an access token
deactivate S
A->>U: User authenticated
deactivate A
sequenceDiagram
participant C as Client Application
participant D as Resource Service<br>(API)
participant S as SSO Server
Note over C: Authenticated user
C->>D: Request a protected resource<br>by passing the JWT access token
activate D
D->>D: Validates token format and validity
D->>S: Prompt for RSA encryption public key
activate S
S->>D: Returns the RSA public key
deactivate S
D-->>D: Caches the public key
D-->>D: Validate token signature with encryption key
D->>C: Accept/Deny access to the requested resource
deactivate D
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment