Open rosarp-gobazzinga opened 5 months ago
@saikatdas0790 @rupansh-gob
---
title: Auth flow with cookies
---
sequenceDiagram
autonumber
actor client as Client Device
participant ssr as SSR Backend
client->>ssr: Requests page first time
ssr-->>client: Home page loaded
client->>ssr: Requests delegated <br/> session
create participant auth as Auth Service
ssr->>auth: Makes a REST <br/> call /anonymous_identity
Note over auth: Creates Private KeyPair <br/> & Delegated Session KeyPair <br/> for a user <br/> using random seed
Note over auth: Delegated Session is <br/> valid for 30 minutes
create participant kv as Key Value Store
auth--)kv: Store User's <br/> private & <br/> session KeyPair
auth-->>ssr: Sends delegated session <br/> & (signature + pubkey) as pubkey <br/> & (signature + expiration) as expiration
Note over ssr: Cookie is set <br/> for SSR domain
ssr-->>client: Sends delegated session <br/> & sets pubkey <br/> & expiration <br/> in cookie
%%{'----- OAuth2 Login Flow -----'}%%
Note over client: When client clicks on login
client->>ssr: Requests for <br/> refresh token
ssr->>auth: Sends pubkey & <br/> expiration (with signature) <br/> in REST payload <br/> to /refresh_token
Note over auth: Validates signatures of payload, <br/> Generates ULID, <br/> & associates pubkey
auth--)kv: Stores <ULID, pubkey> in kv
auth-->>ssr: Returns <br/> signature + ULID
ssr->>auth: Redirects to <br/> /<signature + ULID>
Note over auth: Validates signature
auth--)kv: Retrieves pubkey using ULID
Note over auth: Cookie is set <br/> for Auth domain
Note over auth: Sets temp cookie <br/> on auth with <br/> signature + pubkey
auth-->>client: Shows login options page
Note over client: Client clicks <br/> on google <br/> login page
client--)auth: Sends request <br/> to /google/login/url <br/> Validates signature + pubkey <br/> Returns google URL
create participant google as Google OAuth2
client->>google: Redirects to google URL
Note over google: User logs-in
google-->>auth: Redirects back <br/> with auth_code <br/> to /verify_oauth2
Note over auth: Verifies auth_code <br/> & retrieves google_id
destroy kv
auth--)kv: Associates pubkey to google_id
auth-->>ssr: Redirects to /oauth2_response_handler <br/>/<encrypted(google_id)>
ssr--)auth: REST call to <br/> /generate_session <br/>/<encrypted(google_id)> <br/> Returns delegated session
Note over auth: Verifies & retrieves pubkey <br/> generates delegated session
ssr-->>client: Receives delegated session
Cons of using above workflow:
@saikatdas0790 @rupansh-gob
---
title: Auth flow with cookies & Sycn Popup/tab
---
sequenceDiagram
autonumber
actor client as Client Device
participant ssr as SSR Backend
participant auth as Auth Service
participant kv as Key Value Store
client->>ssr: Requests page first time
ssr-->>client: Home page loaded
client->>ssr: Requests delegated <br/> session
alt If cookie found
ssr->>auth: Makes a REST <br/> call /renew_identity <br/> with cookie contents <br/> in POST payload
alt if valid payload
auth--)kv: Fetch KeyPair from pubkey
Note over auth: Re-Generate Delegated <br/> session for this pubkey
else if invalid payload
Note over auth: GoTo /anonymous_identity
end
else if cookie not found [anonymous_identity]
ssr->>auth: Makes a REST <br/> call /anonymous_identity
Note over auth: Creates Private KeyPair <br/> & Delegated Session KeyPair <br/> for a user <br/> using random seed
Note over auth: Delegated Session is <br/> valid for 30 minutes
end
auth--)kv: Store User's <br/> private & <br/> session KeyPair
auth-->>ssr: Sends delegated session <br/> & (signature + pubkey) as pubkey <br/> & (signature + expiration) as expiration
Note over ssr: Cookie is set <br/> for SSR domain
ssr-->>client: Sends delegated session <br/> & sets pubkey <br/> & expiration <br/> in cookie
%%{'----- OAuth2 Login Flow -----'}%%
Note over client: When client clicks on login
client--)ssr: GET auth URL [auth]/<cookie_serialized>
client->>auth: Opens popup with /<cookie_serialized>
Note over auth: Validates signature <br/> & sets Auth domain cookie
auth-->>client: Shows login options page
Note over client: Client clicks <br/> on google <br/> login page
client--)auth: Sends request <br/> to /login/url/google <br/> Validates signature + pubkey <br/> Returns google URL
create participant google as Google OAuth2
client->>google: Redirects to google URL
Note over google: User logs-in
destroy google
google-->>auth: Redirects back <br/> with auth_code <br/> to /verify_oauth2
Note over auth: Verifies auth_code <br/> & retrieves google_id
destroy kv
auth--)kv: Associates pubkey to google_id
Note over auth: Generates delegated session
auth-->>client: Sends PostMessage <br/> to opener window (ssr) <br/> with delegated session
auth-->>auth: Closes the popup