docs Add OIDC Flow Sequence Diagram to wiki or docs

Inspiration: https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram

Jun 03 '19 08:06 michaelstingl

This would be a great help, as the documentation is written atm. Anything that can be shared?

@pmaier1 @DeepDiver1975

Feb 12 '20 16:02 mmattel

From my point of view the RFC specs hold enough flow charts which shows how OpenID Connect is working. I personally see no need for this.

If others need this - feel free to draw this diagram

Feb 13 '20 08:02 DeepDiver1975

@michaelstingl I updated the diagram to better reflect the Basic and Bearer auth mechanisms ... A complete diagram for ocis should be limited to oidc only, preferably a concrete instance. maybe we should use the new demo system to get the actual flow ... then convert that into a sequence diagram

Feb 17 '20 16:02 butonic

@settermjd FYI

Feb 17 '20 18:02 mmattel

WiP (1)

Sequence Diagram

@startuml
title Account Setup 1/2

actor Alice as "Alice\n(Resource Owner)"
participant Client as "Desktop Client\n(Relying Party)"
participant OS
participant Browser as "Default Browser"
participant ownCloud as "ownCloud\n(Resource Server)"
participant IdP as "Kopano Konnect\n(IdP / Authorization Server)"

== Account Setup ==

Alice -> Client : enter server URL\nhttps://server/

Client -> ownCloud : GET\nhttps://server/status.php
Client <- ownCloud : 200 OK

Client -> ownCloud : PROPFIND\nhttps://server/remote.php/webdav/
Client <- ownCloud : 401 Unauthorized\nWWW-Authenticate: Bearer realm="ownCloud"\n(and other WWW-Authenticate mechanisms, if available)

Client -> ownCloud : GET\nhttps://server/.well-known/openid-configuration

ownCloud -> IdP : GET\nhttps://idp/.well-known/openid-configuration
ownCloud <- IdP : 200 OK\nJSON:\n  "authorization_endpoint": "https://idp/signin/v1/identifier/_/authorize",\n  "token_endpoint": "https://idp/konnect/v1/token"

Client <- ownCloud : 200 OK\nJSON:\n  "authorization_endpoint": "https://idp/signin/v1/identifier/_/authorize",\n  "token_endpoint": "https://idp/konnect/v1/token"

Client -> OS : https://idp/signin/v1/identifier/_/authorize?\n  client_id=xdXO…&\n  redirect_uri=http://localhost:49615&\n  scope=openid offline_access email profile&…

OS -> Browser : https://idp/signin/v1/identifier/_/authorize?\n  client_id=xdXO…&\n  redirect_uri=http://localhost:49615&\n  scope=openid offline_access email profile&…

group Default Browser

Browser -> IdP : GET\nhttps://idp/signin/v1/identifier/_/authorize?\n  client_id=xdXO…&\n  redirect_uri=http://localhost:49615&\n  scope=openid offline_access email profile&…
Browser <- IdP : 302 FOUND\nLocation: https://idp/signin/v1/identifier?\n  client_id=xdXO…&\n  redirect_uri=http://localhost:49615&\n  scope=openid+offline_access+email+profile&…

Browser -> IdP : GET\nhttps://idp/signin/v1/identifier?\n  client_id=xdXO…&\n  redirect_uri=http://localhost:49615&\n  scope=openid+offline_access+email+profile&…
Browser <- IdP : 200 OK

Browser -> IdP : POST\nhttps://idp/signin/v1/identifier/_/hello\nJSON:\n{\n  "client_id": "xdXO…",\n  "redirect_uri": "http://localhost:49615",\n  "scope": "openid offline_access email profile",…\n}
Browser <- IdP : 204 NO CONTENT

Alice -> Browser : enter credentials

Browser -> IdP : POST\nhttps://idp/signin/v1/identifier/_/hello\nJSON:\n{\n  "hello": {\n    "client_id": "xdXO…",\n    "redirect_uri": "http://localhost:49615",\n    "scope": "openid offline_access email profile",…\n  },\n  "params": [\n    "alice",\n    "password",…\n  ],…\n}
Browser <- IdP : 200 OK\nJSON:\n{\n  "hello": {\n    "continue_uri": "https://idp/signin/v1/identifier/_/authorize",\n    "displayName": "Alice",\n    "username": "alice",…\n  },…\n}

Browser -> IdP : GET\nhttps://idp/signin/v1/identifier/_/authorize?\nclient_id=xdXO…&\nredirect_uri=http://localhost:49615&\nscope=openid offline_access email profile&…
Browser <- IdP : 302 FOUND\nLocation:\nhttp://localhost:49615?\n  code=s7FK…&\n  scope=openid offline_access email profile&…

Browser -> Client : GET\nhttp://localhost:49615?\ncode=s7FK…&\nscope=openid offline_access email profile&…

end
@enduml

to edit go to PlantUML

Oct 31 '20 14:10 michaelstingl

WiP (2)

Sequence Diagram

@startuml
title Account Setup 2/2

actor Alice
participant Client as "Desktop Client"
participant OS
participant Browser as "Default Browser"
participant ownCloud
participant IdP as "Kopano Konnect (IdP)"

Client -> IdP : POST\nhttps://idp/konnect/v1/token\n-u "xdXO…:UBnt…"\nclient_id: xdXO…\nclient_secret: UBnt…\nscope: openid offline_access email profile\ngrant_type: authorization_code\ncode: s7FK…\nredirect_uri: http://localhost:49615\ncode_verifier: sHAp…
Client <- IdP : 200 OK\nJSON:\n{\n  "access_token": "eyJh…oVJ4",\n  "expires_in": 600,\n  "id_token": "eyJh…DdeI",\n  "refresh_token": "eyJh…nnys",\n  "token_type": "Bearer"\n}

Client -> ownCloud : GET\nhttps://server/ocs/v2.php/cloud/user?format=json\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 200 OK\nJSON:\n{\n  "ocs": {\n    "data": {\n      "display-name": "Alice",\n      "email": null,\n      "id": "alice"\n    },…\n    }\n  }\n}

Client -> ownCloud : PROPFIND\nhttps://server/remote.php/webdav/\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 207 Multi-Status

Client -> ownCloud : GET\nhttps://server/ocs/v1.php/cloud/capabilities\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 200 OK

Client -> ownCloud : GET\nhttps://server/remote.php/dav/avatars/alice/128.png\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 404 Not Found

Client -> ownCloud : GET\nhttps://server/ocs/v1.php/cloud/activity\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 200 OK

Client -> ownCloud : GET\nhttps://server/ocs/v2.php/apps/notifications/api/v1/notifications\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 200 OK

Client -> ownCloud : PROPFIND\nhttps://server/remote.php/dav/files/alice/\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 207 Multi-Status
@enduml

to edit go to PlantUML

Oct 31 '20 14:10 michaelstingl

WiP (3)

Sequence Diagram

@startuml
title Access Token Refresh

actor Alice
participant Client as "Desktop Client"
participant OS
participant Browser as "Default Browser"
participant ownCloud
participant IdP as "Kopano Konnect (IdP)"

...5 minutes later...

== Access Token Refresh ==

Client -> ownCloud : PROPFIND\nhttps://server/remote.php/dav/files/alice/\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 207 Multi-Status

Client -> ownCloud : PROPFIND\nhttps://server/remote.php/dav/files/alice/\n- H "Authorization: Bearer eyJh…oVJ4"
Client <- ownCloud : 401 Unauthorized

Client -> ownCloud : GET\nhttps://server/.well-known/openid-configuration

ownCloud -> IdP : GET\nhttps://idp/.well-known/openid-configuration
ownCloud <- IdP : 200 OK\nJSON:\n  "authorization_endpoint": "https://idp/signin/v1/identifier/_/authorize",\n  "token_endpoint": "https://idp/konnect/v1/token"

Client <- ownCloud : 200 OK\nJSON:\n  "authorization_endpoint": "https://idp/signin/v1/identifier/_/authorize",\n  "token_endpoint": "https://idp/konnect/v1/token"

Client -> IdP : POST\nhttps://idp/konnect/v1/token\n-u "xdXO…:UBnt…"\nclient_id: xdXO…\nclient_secret: UBnt…\nscope: openid offline_access email profile\ngrant_type: refresh_token\nrefresh_token: eyJh…458c
Client <- IdP : 200 OK\nJSON:\n{\n  "access_token": "eyJh…52tk",\n  "expires_in": 600,\n  "token_type": "Bearer"\n}

Client -> ownCloud : PROPFIND\nhttps://server/remote.php/dav/files/alice/\n- H "Authorization: Bearer eyJh…52tk"
Client <- ownCloud : 207 Multi-Status
@enduml

to edit go to PlantUML

Oct 31 '20 23:10 michaelstingl

WiP (4)

Sequence Diagram

@startuml
title Desktop Client Restart

actor Alice
participant Client as "Desktop Client"
participant OS
participant Browser as "Default Browser"
participant ownCloud
participant IdP as "Kopano Konnect (IdP)"

== Desktop Client Restart ==

Client -> ownCloud : GET\nhttps://server/.well-known/openid-configuration

ownCloud -> IdP : GET\nhttps://idp/.well-known/openid-configuration
ownCloud <- IdP : 200 OK\nJSON:\n  "authorization_endpoint": "https://idp/signin/v1/identifier/_/authorize",\n  "token_endpoint": "https://idp/konnect/v1/token"

Client <- ownCloud : 200 OK\nJSON:\n  "authorization_endpoint": "https://idp/signin/v1/identifier/_/authorize",\n  "token_endpoint": "https://idp/konnect/v1/token"

Client -> IdP : POST\nhttps://idp/konnect/v1/token\n-u "xdXO…:UBnt…"\nclient_id: xdXO…\nclient_secret: UBnt…\nscope: openid offline_access email profile\ngrant_type: refresh_token\nrefresh_token: eyJh…458c
Client <- IdP : 200 OK\nJSON:\n{\n  "access_token": "eyJh…l8IA",\n  "expires_in": 600,\n  "token_type": "Bearer"\n}

Client -> ownCloud : GET\nhttps://server/status.php\n- H "Authorization: Bearer eyJh…l8IA"
Client <- ownCloud : 200 OK

Client -> ownCloud : PROPFIND\nhttps://server/remote.php/webdav/\n- H "Authorization: Bearer eyJh…l8IA"
Client <- ownCloud : 207 Multi-Status

Client -> ownCloud : GET\nhttps://server/ocs/v1.php/cloud/capabilities\n- H "Authorization: Bearer eyJh…l8IA"
Client <- ownCloud : 200 OK

Client -> ownCloud : GET\nhttps://server/ocs/v2.php/cloud/user?format=json\n- H "Authorization: Bearer eyJh…l8IA"
Client <- ownCloud : 200 OK\nJSON:\n{\n  "ocs": {\n    "data": {\n      "display-name": "Alice",\n      "email": null,\n      "id": "alice"\n    },…\n    }\n  }\n}

Client -> ownCloud : GET\nhttps://server/remote.php/dav/avatars/alice/128.png\n- H "Authorization: Bearer eyJh…l8IA"
Client <- ownCloud : 404 Not Found

Client -> ownCloud : GET\nhttps://server/ocs/v1.php/cloud/activity\n- H "Authorization: Bearer eyJh…l8IA"
Client <- ownCloud : 200 OK

Client -> ownCloud : GET\nhttps://server/ocs/v2.php/apps/notifications/api/v1/notifications\n- H "Authorization: Bearer eyJh…l8IA"
Client <- ownCloud : 200 OK

Client -> ownCloud : PROPFIND\nhttps://server/remote.php/dav/files/alice/\n- H "Authorization: Bearer eyJh…l8IA"
Client <- ownCloud : 207 Multi-Status
@enduml

to edit go to PlantUML

Oct 31 '20 23:10 michaelstingl

I highly recommend to add these images to docs! The startuml definition including the plantuml link can be added as additional files at the image file location!

Nov 02 '20 08:11 mmattel

shall we move this to the docs repo?

Nov 02 '20 08:11 DeepDiver1975

@DeepDiver1975 I want to clarify some terms:

actor Alice as "Alice (Resource Owner)"
participant Client as "Desktop Client (Relying Party)"
participant OS
participant Browser as "Default Browser"
participant ownCloud as "ownCloud (Resource Server)"
participant IdP as "Kopano Konnect (IdP / Authorization Server)"

Is this correct? Is there also a special name for the "Default Browser" / web UI I use for login?

/cc @IljaN @TheOneRing

Nov 02 '20 17:11 michaelstingl

* participant ownCloud as "ownCloud **(Resource Server)**"

owncloud server is resource server as well as relying party. relying party if the user is login in on the web frontend directly resource server if any client (desktop, mobile, phoenix) is sending an access token to the server

rest looks good.

regarding the internal flow between owncloud server (as resource server) and the Idp:

a request with an unknown/not-yet-seen access token arrives (access tokens are stored in redis)
the token is verified to be valid:
- if it is a jwt: the IdP's JWK is used
- if not: the IdP's token introspection endpoint is used
the expiry of the token is verified
- if JWT: read from it
- if not: use data from the token introspection
user information is read from the token/idp:
- via user infor endpoint
- from the JWT itself
based on config the user is looked up in the ownclouds user backends (a given claim from the user info is matched with userid or email)
expiry and user id is stored together with the token in redis

Nov 03 '20 08:11 DeepDiver1975

@michaelstingl is this still in works? No real progress as far as I can see.

Mar 08 '21 23:03 voroyam

We have added a diagram with PR https://github.com/owncloud/docs/pull/4204 (Enable the OAuth code flow sequence diagram)

Please tell if this is sufficient or if something is missing (in case, details pls.)

Dec 09 '21 11:12 mmattel

docs docs copied to clipboard

Add OIDC Flow Sequence Diagram to wiki or docs

WiP (1)

WiP (2)

WiP (3)

WiP (4)

docs
docs copied to clipboard