Forked from adaptive-shield-matrix/1. basic flow with auth code and access token
Last active
February 1, 2021 10:24
-
-
Save mikomatic/22fec0e46cc3d31018197b941b934c6d to your computer and use it in GitHub Desktop.
OAuth 2.0 / OpenID Connect flow diagrams. Build it by http://www.plantuml.com/plantuml/uml/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@startuml OAuth basic flow with auth code and access token | |
skinparam monochrome true | |
skinparam defaultFontSize 14 | |
' plantuml: https://plantuml.com/sequence-diagram | |
' source: https://gist.github.com/hrchu/d88efb56e72534a1233d16f36eb3e3e9 | |
title OAuth basic flow with auth code and access token | |
actor "You/Browser" as b | |
participant "slack.com" as s | |
participant "account.google.com" as a | |
participant "drive.google.com" as d | |
b -> s: 1. I would like to access my files on Google Drive via your interface. | |
s -> b: 2. You should apply the "Authorization Code" from Google for me first. | |
b -> a: 3. I would like to permit slack.com to access my files. | |
a -> b: 4. Are you sure? | |
b -> a: 5. [Y] | |
a -> b: 6. Okay. Here is the "Authorization Code." Plz give it back to slack.com now. | |
b -> s: 7. You can do what I asked now \n(with the Authorization Code which is just received from Google.) | |
s -> a: 8. I would like to exchange the "Authorization Code" for the "Access Token." | |
a -> s: 9. Your Access Token here. | |
s -> d: 10. I would like to read files which belong to one of my customers. Here is the Access Token. | |
d -> s: 11. Hmmm...the Access Token is vaild. Here is list of files you asked. | |
s -> b: 12. Grant succeed. You can see your files stored in Google Drive! | |
@enduml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
```plantuml | |
@startuml OAuth introduce roles | |
skinparam defaultFontSize 14 | |
title OAuth Authorization Code Flow For Webapps | |
actor "ResourceOwner/User-Agent" as r | |
participant "Client/App" as c | |
participant AuthorizationServer as a | |
participant ResourceServer as s | |
r -[#blue]> c: 1. I would like to access my resources on Resource Server via your interface. | |
c -[#blue]> r: 2. Hang on while i generate a new secret and hash it \n2-bis Please go to authorization server and grant be access, take this hash with you ( apply "Authorization Code" from Authorization Server) | |
r -[#blue]> a: 3. I would like to permit the Client to access my resources. (with Auth Code) | |
a -[#blue]-> r: 4. Are you sure? | |
r -[#blue]-> a: 5. [Y] | |
a -[#blue]> r: 6. Okay. Here is the temporary "Authorization Code." Plz give it back to Client now. | |
r -[#blue]> c: 7. You can do what I asked now. (With the Authorization Code which is just received from the Authorization Server) | |
c -> a: 8. I would like to exchange the "Authorization Code" for the "Access Token." (with plain text secret) | |
a -> c: 9. Your Access Token here. | |
c -> s: 10. I would like to access resources which belong to the Resource Owner. Here is the Access Token. | |
s -> c: 11. Hmmm...the Access Token is vaild. Here are resources you asked. | |
c -> r: 12. Grant succeed. You can access your resources located in Resource Server from me now! | |
@enduml | |
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@startuml OAuth introduce protocol messages | |
skinparam defaultFontSize 14 | |
title OAuth introduce protocol messages | |
actor "ResourceOwner/User-Agent" as r | |
participant "Client/App" as c | |
participant AuthorizationServer as a | |
participant ResourceServer as s | |
r -[#blue]> c: 1. (Start the procedure by calling the client specific request.) | |
c -[#blue]> r: 2. HTTP 302: Redirect to the "Authorization Code Request"\n scope=[specific_scope]&redirect_uri=[client_callback]\n&client_id=[client_id]&response_type=code&state=foobar | |
r -[#blue]> a: 3. Call "Authorization Request" URL with parameters listed above. | |
a -[#blue]-> r: 4. Whould you like to permit [specific_scope] for [client]? | |
r -[#blue]-> a: 5. [Y] | |
a -[#blue]> r: 6. HTTP 302: Redirect to the [client_callback] URL with parameters: code=[authorization_code]&state=foobar | |
r -[#blue]> c: 7. Call [client_callback] URL with parameters listed above. | |
c -> a: 8. Call "Access Token Request" URL with parameters:\n code=[authorization_code]&client_id=[client_id]\n&client_secret=[client_secret]&grant_type=authorization_code | |
a -> c: 9. HTTP 200 with the [access_token] | |
c -> s: 10. Call resource specific API with the header: {Authorization: Bearer [access_token]} | |
s -> c: 11. HTTP 200 with protected resources | |
c -> r: 12. (Show grant succeed and protected resources.) | |
@enduml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@startuml | |
skinparam defaultFontSize 14 | |
title OAuth Authorization Code Flow - OpenID | |
actor r as r | |
participant "Client/App" as c | |
participant AuthorizationServer as a | |
participant ResourceServer as s | |
r -[#blue]> c: 1. (Start the procedure by calling the c specific request.) | |
c -[#blue]> r: 2. HTTP 302: Redirect to the "Authorization Code Request" URL with parameters:\n scope="profile <color:red>openid</color>"&redirect_uri=[c_callback]&c_id=[c_id]&response_type=code&state=foobar | |
r -[#blue]> a: 3. Call "Authorization Request" URL with parameters listed above. | |
a -[#blue]-> r: 4. Whould you like to permit "<color:red>openid</color>, profile" for [c]? | |
r -[#blue]-> a: 5. [Y] | |
a -[#blue]> r: 6. HTTP 302: Redirect to the [c_callback] URL with parameters: code=[authorization_code]&state=foobar | |
r -[#blue]> c: 7. Call [c_callback] URL with parameters listed above. | |
c -> a: 8. Call <color:red>"Access Token / ID Token Request"</color> URL with parameters:\n code=[authorization_code]&c_id=[c_id]&c_secret=[c_secret]&grant_type=authorization_code | |
a -> c: 9. HTTP 200 with the [access_token, <color:red>id_token</color>] | |
c -> s: <color:red>10. Call userInfo endpoint with the header: {Authorization: Bearer [access_token]} | |
s -> c: <color:red>11. HTTP 200 with more detailed user information. | |
c -> r: <color:red>12. (Login succeed.) | |
@enduml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment