openid & other

docs/openid/glossary.md

@@ -0,0 +1,104 @@
+# Glossary
+
+# Oauth 
+
+## Ressource owner
+The user that will allow the app to read ressources that he/she will grant access for
+ex: the person that has a mail account
+
+## Client
+The application that is requesting the ressources to use them on the behalf of the user
+ex : a mass mailing list service to all your contacts
+
+## Authorization server
+
+The application that knows the resource owner because it has an account there
+ex: the mail server authentication service
+
+## Resource server
+
+The API that the client will use on behalf of the user
+ex : the contact list API
+
+## Redirect uri
+Url that will be used by the authorization server to send back the ressource owner to the client app after consenting to ressources access
+ex : mass mailing list "contact retrieve success/failure" page
+
+## Response type
+Response type expeted by the client, usually "code" for an authorization code
+
+## Scope
+Granular permission that the client wants
+ex: read contacts, read profile
+
+## Consent
+The auhorization server takes the scopes that the clients requests and let the ressource owner choose to acccept them or not
+ex: access to your contacts ?
+
+## Client Id
+To identify the client with the authorization server
+
+## Client secret
+Shared between authorization server and client
+
+## Authorization code
+Temporary code sent by authorization server to client
+The client then privately sends the authorization code along with the client secret to tha authorization server, in exchange for an access token
+
+## Access token
+Key the client will use to communicate withe the ressource server
+
+## Refresh token
+Token to get a new access token
+
+# OIDC
+
+## Oauth vs Oidc
+Oauth provides only a token for application access without any info on the user. OpenId adds information on the user.
+* Oauth enables an app to access ressources
+* Oidc enables an app to establish a login session and to access info about the user
+
+## End user
+Oauth Resource Owner
+
+## Relaying party
+Oauth client
+
+## Identity provider
+OIDC enabled Oauth authorization server
+
+## IdToken
+JWT token added to access token by OIDC with your identity info.
+
+## Claims
+Attributes of the Id Token
+* Subject : uid for the user 
+* Issuing Authority : url of identity provider
+* Audience : irdentifies the relying party that can use this token
+* Issue Date
+* Expiration Date
+* [Authentication Time]
+* [Nonce] : prevent replay attacks
+* [Name]
+* [Email]
+
+## Scopes
+openid is a mandatory scope
+There a are 4 openid predefined scopes :
+* profile : access to the default profile claims
+* email
+* address
+* phone
+
+## Identity provider Endpoints
+Several predefined endpoints exist on the Identity provider
+* Authorization endpoint
+* Token endpoint
+* UserInfo endpoint
+
+## Recommended authorization flows
+* Authorization code
+* Authorization code with PKCE (Proof Key for Code Exchange) : for devices
+
+## PKCE
+

docs/openid/oauth-app-requests-contacts-example.puml

@@ -0,0 +1,19 @@
+@startuml
+
+"User(ressource owner)"->"RequestingApp(client)": Select mail provider
+"RequestingApp(client)"->"User(ressource owner)": Redirect to mail provider with clientid,redirect_uri,response_type,scope
+"User(ressource owner)"->"MailProvider(authorization provider)": clientid,redirect_uri,response_type,scope
+"MailProvider(authorization provider)"->"MailProvider(authorization provider)": Active session ?
+"MailProvider(authorization provider)"-->"User(ressource owner)" : Login if no active session
+"User(ressource owner)"-->"MailProvider(authorization provider)" : Logs in
+"MailProvider(authorization provider)"->"User(ressource owner)": Asks for consent for each scope
+"User(ressource owner)"->"MailProvider(authorization provider)" : Grant or deny permission for each scope
+"MailProvider(authorization provider)"->"User(ressource owner)": Redirect to redirect_uri with authorization code
+"User(ressource owner)"->"RequestingApp(client)": Redirect to redirect_uri with authorization code
+"RequestingApp(client)"->"MailProvider(authorization provider)": Send authorization code, clientid, client_secret
+"MailProvider(authorization provider)"->"RequestingApp(client)": Send access token
+"RequestingApp(client)"->"MailProvider(resource server)": asks for contacts with access token
+"MailProvider(resource server)"->"RequestingApp(client)": Return contacts
+"RequestingApp(client)"->"User(ressource owner)": Display contacts
+
+@enduml

docs/openid/oauth2oidc-app-requests-contacts-example copy.puml

@@ -0,0 +1,19 @@
+@startuml
+
+"User(ressource owner)"->"RequestingApp(client)": Select mail provider
+"RequestingApp(client)"->"User(ressource owner)": Redirect to mail provider with clientid,redirect_uri,response_type,scope<font color=red>+"openid"
+"User(ressource owner)"->"MailProvider(authorization provider)": clientid,redirect_uri,response_type,scope
+"MailProvider(authorization provider)"->"MailProvider(authorization provider)": Active session ?
+"MailProvider(authorization provider)"-->"User(ressource owner)" : Login if no active session
+"User(ressource owner)"-->"MailProvider(authorization provider)" : Logs in
+"MailProvider(authorization provider)"->"User(ressource owner)": Asks for consent for each scope
+"User(ressource owner)"->"MailProvider(authorization provider)" : Grant or deny permission for each scope
+"MailProvider(authorization provider)"->"User(ressource owner)": Redirect to redirect_uri with authorization code
+"User(ressource owner)"->"RequestingApp(client)": Redirect to redirect_uri with authorization code
+"RequestingApp(client)"->"MailProvider(authorization provider)": Send authorization code, clientid, client_secret
+"MailProvider(authorization provider)"->"RequestingApp(client)": Send access token<font color=red>+"idtoken"
+"RequestingApp(client)"->"MailProvider(resource server)": asks for contacts with access token
+"MailProvider(resource server)"->"RequestingApp(client)": Return contacts
+"RequestingApp(client)"->"User(ressource owner)": Display contacts
+
+@enduml 

docs/openid/oidc_authcode-app-requests-contacts-example.puml

@@ -0,0 +1,25 @@
+@startuml
+title "OpenID Connect Authorization Code Flow"
+actor "End User"
+boundary "Browser"
+"Relaying party"->"Browser": Identity providers list
+"End User"->"Browser": Select identity provider
+"Browser"->"Relaying party": Identity provider clicked
+"Relaying party"->"Browser": Redirect to identity provider with clientid, state,redirect_uri,response_type,scope<font color=red>+"openid"
+"Browser"->"Authorization endpoint": clientid,state,redirect_uri,response_type,scope
+"Authorization endpoint"->"Authorization endpoint": Active session ?
+"Authorization endpoint"-->"Browser" : Login if no active session
+"End User"-->"Browser" : Fills credentials
+"Browser"-->"Authorization endpoint" : Logs in
+"Authorization endpoint"->"Browser": Form for consent for each scope
+"End User"->"Browser": Grant or deny permission for each scope
+"Browser"->"Authorization endpoint" :Selected scopes
+"Authorization endpoint"->"Browser": Redirect to redirect_uri with authorization code+state provided earlier
+"Browser"->"Relaying party": Redirect to redirect_uri with authorization code
+"Relaying party"->"Token endpoint": Send authorization code, clientid, client_secret, redirect uri (for validation)
+"Token endpoint"->"Relaying party": Send access token<font color=red>+"idtoken"
+"Relaying party"->"UserInfo endpoint": Asks for profile with access token
+"UserInfo endpoint"->"Relaying party": Return profile
+"Relaying party"->"Browser": Display profile
+
+@enduml 

docs/openid/oidc_pkce-app-requests-contacts-example.puml

@@ -0,0 +1,25 @@
+@startuml
+title "OpenID Connect Authorization Code Flow with PKCE"
+actor "End User"
+boundary "App"
+"App"->"App": Identity providers list
+"End User"->"App": Select identity provider
+"App"->"App": Identity provider clicked
+"App"->"App": Generate code verifier and challenge
+"App"->"Authorization endpoint": clientid,state,redirect_uri,response_type,scope
+"Authorization endpoint"->"Authorization endpoint": Active session ?
+"Authorization endpoint"-->"App" : Login if no active session
+"End User"-->"App" : Fills credentials
+"App"-->"Authorization endpoint" : Logs in
+"Authorization endpoint"->"App": Form for consent for each scope
+"End User"->"App": Grant or deny permission for each scope
+"App"->"Authorization endpoint" :Selected scopes
+"Authorization endpoint"->"App": Redirect to redirect_uri with authorization code+state provided earlier
+"App"->"App": Redirect to redirect_uri with authorization code
+"App"->"Token endpoint": Send authorization code, clientid, --client_secret--,<font color=blue>+"code verifier"</font> , redirect uri (for validation)
+"Token endpoint"->"App": Send access token<font color=red>+"idtoken"
+"App"->"UserInfo endpoint": Asks for profile with access token
+"UserInfo endpoint"->"App": Return profile
+"App"->"App": Display profile
+
+@enduml 

docs/openid/opencloud_openid.puml

@@ -0,0 +1,46 @@
+@startuml
+
+
+Actor User
+Node "OpenCloud 1" as OC1 {
+Agent Traefik as tfk1
+Agent Catalog as cat1
+Agent Scheduler as shed1
+Collections "OC Services" as svcs1
+Component "Auth Service" as auth1
+Component OIDC as OIDC1
+Component "Keto?" as keto1
+Component "LDAP" as ldap1
+}
+User -> tfk1:sessionId
+tfk1 ---> cat1:IdToken+AccessToken
+tfk1 ---> shed1:IdToken+AccessToken
+tfk1 ---> svcs1:IdToken+AccessToken
+tfk1 ---> auth1
+auth1 -down-> OIDC1
+auth1 -down-> keto1
+OIDC1 -down-> ldap1
+
+Node "OpenCloud 2" as OC2 {
+Agent Traefik as tfk2
+Agent Catalog as cat2
+Agent Scheduler as shed2
+Collections "OC Services" as svcs2
+Component "Auth Service" as auth2
+Component OIDC as OIDC2
+Component "Keto?" as keto2
+Component "LDAP" as ldap2
+}
+cat1 --> tfk2:IdToken+AccessToken
+tfk2 ---> cat2:IdToken+AccessToken
+tfk2 ---> shed2:IdToken+AccessToken
+tfk2 ---> svcs2:IdToken+AccessToken
+tfk2 -down-> auth2
+auth2 -down-> OIDC2
+auth2 -down-> keto2
+OIDC2 -down-> ldap2
+
+auth2 -> auth1: validate id & access user groups
+auth2 -> tfk2: moderated scopes
+
+@enduml