Authentication Sequence

This application uses an OAuth2-like implicit grant style of authentication. The main difference from OAuth2 is that the UI/client generates a unique client_id for each login and the client_id becomes the first part of the access_token when making subsequent API calls. The reason for this is to ensure that a user cannot copy the URL after logging in which has the access_token in it and share it with someone else. So the combination of client_id+access_token creates a safer authentication token that is unique to the user and the client. We chose this route to avoid using a session based authentication mechanism that could be susceptible to CSRF.

Below is a web sequence diagram to help illustrate this:

UML to create diagram

title Authentication Sequence

participant UI
participant API
participant SAML

UI -> UI: Click Login
UI -> API: Redirect to GET /auth/login?client_id=example123
API -> UI: Redirect to SAML with SAMLRequest
UI -> SAML: 
SAML -> SAML: User login
SAML -> UI: Redirect to API with SAMLResponse
UI -> API: POST /auth/login?SAMLResponse=...
API -> API: Generate access_token
API -> UI: Redirect to UI with ?access_token=another123
UI -> API: Authorization: Bearer example123another123

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authentication Sequence

Clone this wiki locally