Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save mikomatic/22fec0e46cc3d31018197b941b934c6d to your computer and use it in GitHub Desktop.
Save mikomatic/22fec0e46cc3d31018197b941b934c6d to your computer and use it in GitHub Desktop.
OAuth 2.0 / OpenID Connect flow diagrams. Build it by http://www.plantuml.com/plantuml/uml/
@startuml OAuth basic flow with auth code and access token
skinparam monochrome true
skinparam defaultFontSize 14
' plantuml: https://plantuml.com/sequence-diagram
' source: https://gist.github.com/hrchu/d88efb56e72534a1233d16f36eb3e3e9
title OAuth basic flow with auth code and access token
actor "You/Browser" as b
participant "slack.com" as s
participant "account.google.com" as a
participant "drive.google.com" as d
b -> s: 1. I would like to access my files on Google Drive via your interface.
s -> b: 2. You should apply the "Authorization Code" from Google for me first.
b -> a: 3. I would like to permit slack.com to access my files.
a -> b: 4. Are you sure?
b -> a: 5. [Y]
a -> b: 6. Okay. Here is the "Authorization Code." Plz give it back to slack.com now.
b -> s: 7. You can do what I asked now \n(with the Authorization Code which is just received from Google.)
s -> a: 8. I would like to exchange the "Authorization Code" for the "Access Token."
a -> s: 9. Your Access Token here.
s -> d: 10. I would like to read files which belong to one of my customers. Here is the Access Token.
d -> s: 11. Hmmm...the Access Token is vaild. Here is list of files you asked.
s -> b: 12. Grant succeed. You can see your files stored in Google Drive!
@enduml
```plantuml
@startuml OAuth introduce roles
skinparam defaultFontSize 14
title OAuth Authorization Code Flow For Webapps
actor "ResourceOwner/User-Agent" as r
participant "Client/App" as c
participant AuthorizationServer as a
participant ResourceServer as s
r -[#blue]> c: 1. I would like to access my resources on Resource Server via your interface.
c -[#blue]> r: 2. Hang on while i generate a new secret and hash it \n2-bis Please go to authorization server and grant be access, take this hash with you ( apply "Authorization Code" from Authorization Server)
r -[#blue]> a: 3. I would like to permit the Client to access my resources. (with Auth Code)
a -[#blue]-> r: 4. Are you sure?
r -[#blue]-> a: 5. [Y]
a -[#blue]> r: 6. Okay. Here is the temporary "Authorization Code." Plz give it back to Client now.
r -[#blue]> c: 7. You can do what I asked now. (With the Authorization Code which is just received from the Authorization Server)
c -> a: 8. I would like to exchange the "Authorization Code" for the "Access Token." (with plain text secret)
a -> c: 9. Your Access Token here.
c -> s: 10. I would like to access resources which belong to the Resource Owner. Here is the Access Token.
s -> c: 11. Hmmm...the Access Token is vaild. Here are resources you asked.
c -> r: 12. Grant succeed. You can access your resources located in Resource Server from me now!
@enduml
```
@startuml OAuth introduce protocol messages
skinparam defaultFontSize 14
title OAuth introduce protocol messages
actor "ResourceOwner/User-Agent" as r
participant "Client/App" as c
participant AuthorizationServer as a
participant ResourceServer as s
r -[#blue]> c: 1. (Start the procedure by calling the client specific request.)
c -[#blue]> r: 2. HTTP 302: Redirect to the "Authorization Code Request"\n scope=[specific_scope]&redirect_uri=[client_callback]\n&client_id=[client_id]&response_type=code&state=foobar
r -[#blue]> a: 3. Call "Authorization Request" URL with parameters listed above.
a -[#blue]-> r: 4. Whould you like to permit [specific_scope] for [client]?
r -[#blue]-> a: 5. [Y]
a -[#blue]> r: 6. HTTP 302: Redirect to the [client_callback] URL with parameters: code=[authorization_code]&state=foobar
r -[#blue]> c: 7. Call [client_callback] URL with parameters listed above.
c -> a: 8. Call "Access Token Request" URL with parameters:\n code=[authorization_code]&client_id=[client_id]\n&client_secret=[client_secret]&grant_type=authorization_code
a -> c: 9. HTTP 200 with the [access_token]
c -> s: 10. Call resource specific API with the header: {Authorization: Bearer [access_token]}
s -> c: 11. HTTP 200 with protected resources
c -> r: 12. (Show grant succeed and protected resources.)
@enduml
@startuml
skinparam defaultFontSize 14
title OAuth Authorization Code Flow - OpenID
actor r as r
participant "Client/App" as c
participant AuthorizationServer as a
participant ResourceServer as s
r -[#blue]> c: 1. (Start the procedure by calling the c specific request.)
c -[#blue]> r: 2. HTTP 302: Redirect to the "Authorization Code Request" URL with parameters:\n scope="profile <color:red>openid</color>"&redirect_uri=[c_callback]&c_id=[c_id]&response_type=code&state=foobar
r -[#blue]> a: 3. Call "Authorization Request" URL with parameters listed above.
a -[#blue]-> r: 4. Whould you like to permit "<color:red>openid</color>, profile" for [c]?
r -[#blue]-> a: 5. [Y]
a -[#blue]> r: 6. HTTP 302: Redirect to the [c_callback] URL with parameters: code=[authorization_code]&state=foobar
r -[#blue]> c: 7. Call [c_callback] URL with parameters listed above.
c -> a: 8. Call <color:red>"Access Token / ID Token Request"</color> URL with parameters:\n code=[authorization_code]&c_id=[c_id]&c_secret=[c_secret]&grant_type=authorization_code
a -> c: 9. HTTP 200 with the [access_token, <color:red>id_token</color>]
c -> s: <color:red>10. Call userInfo endpoint with the header: {Authorization: Bearer [access_token]}
s -> c: <color:red>11. HTTP 200 with more detailed user information.
c -> r: <color:red>12. (Login succeed.)
@enduml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment