Forked from hrchu/1. basic flow with auth code and access token
Last active
October 14, 2021 09:12
-
-
Save adaptive-shield-matrix/1ffd07f3dfa446b8d4a09bd991766126 to your computer and use it in GitHub Desktop.
Revisions
-
adaptive-shield-matrix renamed this gist
Nov 10, 2020 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Nov 10, 2020 . 5 changed files with 111 additions and 60 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,15 +1,27 @@ @startuml OAuth basic flow with auth code and access token skinparam monochrome true skinparam defaultFontSize 14 ' plantuml: https://plantuml.com/sequence-diagram ' source: https://gist.github.com/hrchu/d88efb56e72534a1233d16f36eb3e3e9 title OAuth basic flow with auth code and access token actor "You/Browser" as b participant "slack.com" as s participant "account.google.com" as a participant "drive.google.com" as d b -> s: 1. I would like to access my files on Google Drive via your interface. s -> b: 2. You should apply the "Authorization Code" from Google for me first. b -> a: 3. I would like to permit slack.com to access my files. a -> b: 4. Are you sure? b -> a: 5. [Y] a -> b: 6. Okay. Here is the "Authorization Code." Plz give it back to slack.com now. b -> s: 7. You can do what I asked now \n(with the Authorization Code which is just received from Google.) s -> a: 8. I would like to exchange the "Authorization Code" for the "Access Token." a -> s: 9. Your Access Token here. s -> d: 10. I would like to read files which belong to one of my customers. Here is the Access Token. d -> s: 11. Hmmm...the Access Token is vaild. Here is list of files you asked. s -> b: 12. Grant succeed. You can see your files stored in Google Drive! @enduml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,15 +1,27 @@ @startuml OAuth introduce roles skinparam monochrome true skinparam defaultFontSize 14 ' plantuml: https://plantuml.com/sequence-diagram ' source: https://gist.github.com/hrchu/d88efb56e72534a1233d16f36eb3e3e9 title OAuth introduce roles actor "ResourceOwner/User-Agent" as r participant Client as c participant AuthorizationServer as a participant ResourceServer as s r -> c: 1. I would like to access my resources on Resource Server via your interface. c -> r: 2. You should apply the "Authorization Code" from Authorization Server for me first. r -> a: 3. I would like to permit the Client to access my resources. a -> r: 4. Are you sure? r -> a: 5. [Y] a -> r: 6. Okay. Here is the "Authorization Code." Plz give it back to Client now. r -> c: 7. You can do what I asked now. (With the Authorization Code which is just received from the Authorization Server) c -> a: 8. I would like to exchange the "Authorization Code" for the "Access Token." a -> c: 9. Your Access Token here. c -> s: 10. I would like to access resources which belong to the Resource Owner. Here is the Access Token. s -> c: 11. Hmmm...the Access Token is vaild. Here are resources you asked. c -> r: 12. Grant succeed. You can access your resources located in Resource Server from me now! @enduml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,15 +1,27 @@ @startuml OAuth introduce protocol messages skinparam monochrome true skinparam defaultFontSize 14 ' plantuml: https://plantuml.com/sequence-diagram ' source: https://gist.github.com/hrchu/d88efb56e72534a1233d16f36eb3e3e9 title OAuth introduce protocol messages actor "ResourceOwner/User-Agent" as r participant Client as c participant AuthorizationServer as a participant ResourceServer as s r -> c: 1. (Start the procedure by calling the client specific request.) c -> r: 2. HTTP 302: Redirect to the "Authorization Code Request"\n scope=[specific_scope]&redirect_uri=[client_callback]\n&client_id=[client_id]&response_type=code&state=foobar r -> a: 3. Call "Authorization Request" URL with parameters listed above. a -> r: 4. Whould you like to permit [specific_scope] for [client]? r -> a: 5. [Y] a -> r: 6. HTTP 302: Redirect to the [client_callback] URL with parameters: code=[authorization_code]&state=foobar r -> c: 7. Call [client_callback] URL with parameters listed above. c -> a: 8. Call "Access Token Request" URL with parameters:\n code=[authorization_code]&client_id=[client_id]\n&client_secret=[client_secret]&grant_type=authorization_code a -> c: 9. HTTP 200 with the [access_token] c -> s: 10. Call resource specific API with the header: {Authorization: Bearer [access_token]} s -> c: 11. HTTP 200 with protected resources c -> r: 12. (Show grant succeed and protected resources.) @enduml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,15 +1,26 @@ @startuml OAuth introduce openid connect skinparam monochrome true skinparam defaultFontSize 14 ' plantuml: https://plantuml.com/sequence-diagram ' source: https://gist.github.com/hrchu/d88efb56e72534a1233d16f36eb3e3e9 title OAuth introduce openid connect actor "ResourceOwner/User-Agent" as r participant AuthorizationServer as a participant Client as c participant ResourceServer as s r -> c: 1. (Start the procedure by calling the client specific request.) c -> r: 2. HTTP 302: Redirect to the "Authorization Code Request" URL with parameters:\n scope="profile <color:red>openid</color>"&redirect_uri=[client_callback]&client_id=[client_id]&response_type=code&state=foobar r -> a: 3. Call "Authorization Request" URL with parameters listed above. a -> r: 4. Whould you like to permit "<color:red>openid</color>, profile" for [client]? r -> a: 5. [Y] a -> r: 6. HTTP 302: Redirect to the [client_callback] URL with parameters: code=[authorization_code]&state=foobar r -> c: 7. Call [client_callback] URL with parameters listed above. c -> a: 8. Call <color:red>"Access Token / ID Token Request"</color> URL with parameters:\n code=[authorization_code]&client_id=[client_id]&client_secret=[client_secret]&grant_type=authorization_code a -> c: 9. HTTP 200 with the [access_token, <color:red>id_token</color>] c -> s: <color:red>10. Call userInfo endpoint with the header: {Authorization: Bearer [access_token]} s -> c: <color:red>11. HTTP 200 with more detailed user information. c -> r: <color:red>12. (Login succeed.) @enduml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,4 @@ Pro Tip - use vscode (IDE): https://code.visualstudio.com/ - install vscode plantuml plugin: https://github.com/qjebbs/vscode-plantuml -
hrchu revised this gist
Apr 26, 2019 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,7 +9,7 @@ AuthorizationServer -> "ResourceOwner/User-Agent": 6. HTTP 302: Redirect to the "ResourceOwner/User-Agent" -> Client: 7. Call [client_callback] URL with parameters listed above. Client -> AuthorizationServer: 8. Call <color:red>"Access Token / ID Token Request"</color> URL with parameters:\n code=[authorization_code]&client_id=[client_id]&client_secret=[client_secret]&grant_type=authorization_code AuthorizationServer -> Client: 9. HTTP 200 with the [access_token, <color:red>id_token</color>] Client -> ResourceServer: <color:red>10. Call userInfo endpoint with the header: {Authorization: Bearer [access_token]} ResourceServer -> Client: <color:red>11. HTTP 200 with more detailed user information. Client -> "ResourceOwner/User-Agent": <color:red>12. (Login succeed.) @enduml -
Apr 26, 2019 . 1 changed file with 15 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,15 @@ @startuml skinparam handwritten true "ResourceOwner/User-Agent" -> Client: 1. (Start the procedure by calling the client specific request.) Client -> "ResourceOwner/User-Agent": 2. HTTP 302: Redirect to the "Authorization Code Request" URL with parameters:\n scope="profile <color:red>openid</color>"&redirect_uri=[client_callback]&client_id=[client_id]&response_type=code&state=foobar "ResourceOwner/User-Agent" -> AuthorizationServer: 3. Call "Authorization Request" URL with parameters listed above. AuthorizationServer -> "ResourceOwner/User-Agent": 4. Whould you like to permit "<color:red>openid</color>, profile" for [client]? "ResourceOwner/User-Agent" -> AuthorizationServer: 5. [Y] AuthorizationServer -> "ResourceOwner/User-Agent": 6. HTTP 302: Redirect to the [client_callback] URL with parameters: code=[authorization_code]&state=foobar "ResourceOwner/User-Agent" -> Client: 7. Call [client_callback] URL with parameters listed above. Client -> AuthorizationServer: 8. Call <color:red>"Access Token / ID Token Request"</color> URL with parameters:\n code=[authorization_code]&client_id=[client_id]&client_secret=[client_secret]&grant_type=authorization_code AuthorizationServer -> Client: 9. HTTP 200 with the [access_token, <color:red>id_token</color>] Client -> ResourceServer: 10. Call rsource specific API with the header: {Authorization: Bearer [access_token]} ResourceServer -> Client: 11. HTTP 200 with protected resources Client -> "ResourceOwner/User-Agent": 12. (Show grant succeed and protected resources.) @enduml -
Apr 25, 2019 . 3 changed files with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes.File renamed without changes.File renamed without changes. -
Apr 25, 2019 . 3 changed files with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes.File renamed without changes.File renamed without changes. -
Apr 25, 2019 . 3 changed files with 28 additions and 35 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,15 +1,15 @@ @startuml skinparam handwritten true "You/Browser" -> slack.com: 1. I would like to access my files on Google Drive via your interface. slack.com -> "You/Browser": 2. You should apply the "Authorization Code" from Google for me first. "You/Browser" -> account.google.com: 3. I would like to permit slack.com to access my files. account.google.com -> "You/Browser": 4. Are you sure? "You/Browser" -> account.google.com: 5. [Y] account.google.com -> "You/Browser": 6. Okay. Here is the "Authorization Code." Plz give it back to slack.com now. "You/Browser" -> slack.com: 7. You can do what I asked now (with the Authorization Code which is just received from Google.) slack.com -> account.google.com: 8. I would like to exchange the "Authorization Code" for the "Access Token." account.google.com -> slack.com: 9. Your Access Token here. slack.com -> drive.google.com: 10. I would like to read files which belong to one of my customers. Here is the Access Token. drive.google.com -> slack.com: 11. Hmmm...the Access Token is vaild. Here is list of files you asked. slack.com -> "You/Browser": 12. Grant succeed. You can see your files stored in Google Drive from my interface now! @enduml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,15 +1,15 @@ @startuml skinparam handwritten true "ResourceOwner/User-Agent" -> Client: 1. I would like to access my resources on Resource Server via your interface. Client -> "ResourceOwner/User-Agent": 2. You should apply the "Authorization Code" from Authorization Server for me first. "ResourceOwner/User-Agent" -> AuthorizationServer: 3. I would like to permit the Client to access my resources. AuthorizationServer -> "ResourceOwner/User-Agent": 4. Are you sure? "ResourceOwner/User-Agent" -> AuthorizationServer: 5. [Y] AuthorizationServer -> "ResourceOwner/User-Agent": 6. Okay. Here is the "Authorization Code." Plz give it back to Client now. "ResourceOwner/User-Agent" -> Client: 7. You can do what I asked now. (With the Authorization Code which is just received from the Authorization Server) Client -> AuthorizationServer: 8. I would like to exchange the "Authorization Code" for the "Access Token." AuthorizationServer -> Client: 9. Your Access Token here. Client -> ResourceServer: 10. I would like to access resources which belong to the Resource Owner. Here is the Access Token. ResourceServer -> Client: 11. Hmmm...the Access Token is vaild. Here are resources you asked. Client -> "ResourceOwner/User-Agent": 12. Grant succeed. You can access your resources located in Resource Server from me now! @enduml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,22 +1,15 @@ @startuml skinparam handwritten true "ResourceOwner/User-Agent" -> Client: 1. (Start the procedure by calling the client specific request.) Client -> "ResourceOwner/User-Agent": 2. HTTP 302: Redirect to the "Authorization Code Request" URL with parameters:\n scope=[specific_scope]&redirect_uri=[client_callback]&client_id=[client_id]&response_type=code&state=foobar "ResourceOwner/User-Agent" -> AuthorizationServer: 3. Call "Authorization Request" URL with parameters listed above. AuthorizationServer -> "ResourceOwner/User-Agent": 4. Whould you like to permit [specific_scope] for [client]? "ResourceOwner/User-Agent" -> AuthorizationServer: 5. [Y] AuthorizationServer -> "ResourceOwner/User-Agent": 6. HTTP 302: Redirect to the [client_callback] URL with parameters: code=[authorization_code]&state=foobar "ResourceOwner/User-Agent" -> Client: 7. Call [client_callback] URL with parameters listed above. Client -> AuthorizationServer: 8. Call "Access Token Request" URL with parameters:\n code=[authorization_code]&client_id=[client_id]&client_secret=[client_secret]&grant_type=authorization_code AuthorizationServer -> Client: 9. HTTP 200 with the [access_token] Client -> ResourceServer: 10. Call rsource specific API with the header: {Authorization: Bearer [access_token]} ResourceServer -> Client: 11. HTTP 200 with protected resources Client -> "ResourceOwner/User-Agent": 12. (Show grant succeed and protected resources.) @enduml -
Apr 25, 2019 . 1 changed file with 22 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,22 @@ @startuml skinparam handwritten true ResourceOwner -> Client: 1. (Click the botton.) Client -> ResourceOwner: 2. HTTP 302: Redirect to the "Get Authorization Code" API with parameters: scope=[Asked scope]&redirect_uri=[Client's callback] ResourceOwner -> AuthorizationServer: 3. Call Get Authorization Code API with parameters listed above. AuthorizationServer -> ResourceOwner: 4. Whould you like to permit [Asked scope] for [Client]? ResourceOwner -> AuthorizationServer: 5. [Y] AuthorizationServer -> ResourceOwner: 6. HTTP 302: Redirect to the [Client's callback URL] with parameters: code=[Authorization Code] ResourceOwner -> Client: 7. Request [Client's callback URL] with parameters listed above. Client -> AuthorizationServer: 8. I would like to exchange the "Authorization Code" for the "Access Token." Call "POST Access Token" API with parameters: code=[Authorization Code]& client_id=your_client_id& client_secret=your_client_secret& redirect_uri=https://oauth2.example.com/code& grant_type=authorization_code AuthorizationServer -> Client: 9. Your Access Token here. Client -> ResourceServer: 10. I would like to access resources which belong to the Resource Owner. Here is the Access Token. ResourceServer -> Client: 11. The Access Token LGTM. Now you can access files. Client -> ResourceOwner: 12. Grant succeed. You can access your resources located in Resource Server from me now! @enduml -
Apr 25, 2019 . 2 changed files with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,6 +10,6 @@ You -> slack.com: 7. You can do what I asked now. (With the Authorization Code w slack.com -> account.google.com: 8. I would like to exchange the "Authorization Code" for the "Access Token." account.google.com -> slack.com: 9. Your Access Token here. slack.com -> drive.google.com: 10. I would like to read files which belong to one of my customers. Here is the Access Token. drive.google.com -> slack.com: 11. Hmmm...the Access Token is vaild. Here is list of files you asked. slack.com -> You: 12. Grant succeed. You can see your files stored in Google Drive from my interface now! @enduml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,6 +10,6 @@ ResourceOwner -> Client: 7. You can do what I asked now. (With the Authorization Client -> AuthorizationServer: 8. I would like to exchange the "Authorization Code" for the "Access Token." AuthorizationServer -> Client: 9. Your Access Token here. Client -> ResourceServer: 10. I would like to access resources which belong to the Resource Owner. Here is the Access Token. ResourceServer -> Client: 11. Hmmm...the Access Token is vaild. Here are resources you asked. Client -> ResourceOwner: 12. Grant succeed. You can access your resources located in Resource Server from me now! @enduml -
Apr 25, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,15 @@ @startuml skinparam handwritten true You -> slack.com: 1. I would like to access my files on Google Drive via your interface. slack.com -> You: 2. You should apply the "Authorization Code" from Google for me first. You -> account.google.com: 3. I would like to permit slack.com to access my files. account.google.com -> You: 4. Are you sure? You -> account.google.com: 5. [Y] account.google.com -> You: 6. Okay. Here is the "Authorization Code." Plz give it back to slack.com now. You -> slack.com: 7. You can do what I asked now. (With the Authorization Code which is just received from Google) slack.com -> account.google.com: 8. I would like to exchange the "Authorization Code" for the "Access Token." account.google.com -> slack.com: 9. Your Access Token here. slack.com -> drive.google.com: 10. I would like to read files which belong to one of my customers. Here is the Access Token. drive.google.com -> slack.com: 11. The Access Token LGTM. Now you can access files. slack.com -> You: 12. Grant succeed. You can see your files stored in Google Drive from my interface now! @enduml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,15 @@ @startuml skinparam handwritten true ResourceOwner -> Client: 1. I would like to access my resources on Resource Server via your interface. Client -> ResourceOwner: 2. You should apply the "Authorization Code" from Authorization Server for me first. ResourceOwner -> AuthorizationServer: 3. I would like to permit the Client to access my resources. AuthorizationServer -> ResourceOwner: 4. Are you sure? ResourceOwner -> AuthorizationServer: 5. [Y] AuthorizationServer -> ResourceOwner: 6. Okay. Here is the "Authorization Code." Plz give it back to Client now. ResourceOwner -> Client: 7. You can do what I asked now. (With the Authorization Code which is just received from the Authorization Server) Client -> AuthorizationServer: 8. I would like to exchange the "Authorization Code" for the "Access Token." AuthorizationServer -> Client: 9. Your Access Token here. Client -> ResourceServer: 10. I would like to access resources which belong to the Resource Owner. Here is the Access Token. ResourceServer -> Client: 11. The Access Token LGTM. Now you can access files. Client -> ResourceOwner: 12. Grant succeed. You can access your resources located in Resource Server from me now! @enduml