Last active
November 30, 2017 10:42
-
-
Save malys/7029fd03109adb8a4416a85931391983 to your computer and use it in GitHub Desktop.
[Keycloak diagram] http://uml.mvnsearch.org/github/ +raw url #keycloak #diagram
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @startuml | |
| autonumber | |
| title __Cluster of application__ OpenID flow | |
| box "Frontend" #Violet | |
| participant User1 | |
| end box | |
| box "Application 1" #LightBlue | |
| participant LoadBalancer | |
| participant Node1 | |
| participant Node2 | |
| end box | |
| box "Application 2" #LightGreen | |
| participant Server | |
| end box | |
| box "IDM" #Orange | |
| participant Keycloak | |
| end box | |
| Keycloak -> Keycloak: Start | |
| Node1 -> Node1: Start | |
| Node2 -> Node2: Start | |
| Server -> Server: Start | |
| alt if register-node-at-startup = true | |
| Node1 -> Keycloak: Register Node | |
| Node2 -> Keycloak: Register Node | |
| end | |
| alt if register-node-period = x | |
| loop x times | |
| Node1 -> Keycloak: Register Node | |
| Node2 -> Keycloak: Register Node | |
| end | |
| end | |
| User1 -> LoadBalancer: Login on Application 1 | |
| LoadBalancer -> Node2: User1 routed on Node2 | |
| alt authentification flow | |
| Node2 <-> Keycloak : User1 logged on Node2 | |
| ... | |
| end | |
| User1 -> Server: Login on Application 2 via SSO | |
| alt sso flow | |
| Server <-> Keycloak : User1 logged on Server | |
| ... | |
| end | |
| alt Not RESTFul (sticky session) | |
| User1 -> LoadBalancer: GET resources | |
| LoadBalancer -> Node2: User1 routed on Node2 | |
| note over Keycloak | |
| User1 is logged on Application 1 (Node2) and Application 2 | |
| end note | |
| else RESTFul | |
| User1 -> LoadBalancer: GET resources | |
| LoadBalancer -> Node1: User1 routed on Node1 | |
| alt sso flow | |
| Node1 <-> Keycloak : User1 logged on Node1 | |
| ... | |
| end | |
| note over Keycloak | |
| User1 is logged on Application 1 (Node1 & Node2) and Application 2 | |
| end note | |
| alt RESTFul: Logout all from IDM | |
| Keycloak <-> Keycloak : User1 Logout all session | |
| else RESTFul: Single Log Out (SSO) | |
| User1 -> LoadBalancer: LogOut User1 | |
| LoadBalancer <-> Node1 : LogOut User1 | |
| Node1 -> Keycloak: LogOut User1 | |
| end | |
| Keycloak <-> Keycloak : Where User1 is logged? | |
| Keycloak -> Node2: Backchannel logout | |
| Node2 -> User1: Logout from Application 1 | |
| Keycloak -> Node1: Backchannel logout | |
| Node1 -> User1: Logout from Application 1 | |
| Keycloak -> Server: Backchannel logout | |
| Server -> User1: Logout from Application 2 | |
| end | |
| @enduml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @startuml | |
| autonumber | |
| title __JSP__ OpenID flow | |
| box "Frontend" #LightBlue | |
| participant Browser | |
| end box | |
| box "JBoss" #Orange | |
| participant JBoss | |
| participant Keycloak_Adapter | |
| participant Controller | |
| participant JSP | |
| participant JBoss_REST_API | |
| end box | |
| box "IDM" #LightGreen | |
| participant Keycloak | |
| end box | |
| Browser -> JBoss : request page | |
| JBoss -> Keycloak_Adapter: filter protected resource | |
| Keycloak_Adapter -> Browser: route on login page | |
| Browser -> Keycloak: request login page | |
| Keycloak -> Browser: login page | |
| Browser -> Keycloak: login | |
| Keycloak -> Keycloak_Adapter: authentification code | |
| Keycloak_Adapter -> Keycloak: request access token | |
| Keycloak -> Keycloak_Adapter: refresh_token & access_token | |
| Keycloak_Adapter -> JBoss: Inject KeycloakSecurityContext in request scope | |
| JBoss -> JSP: display JSP | |
| JSP -> Controller: Get JSP context (access_token ...) | |
| loop x times | |
| JSP -> JBoss_REST_API : GET, POST ... resources | |
| JBoss_REST_API -> Keycloak_Adapter: Verify access_token | |
| ... | |
| alt refresh access token | |
| Keycloak_Adapter -> Keycloak: Refresh access_token with refresh_token | |
| Keycloak -> Keycloak_Adapter: access_token | |
| end | |
| end | |
| @enduml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @startuml | |
| autonumber | |
| title __Login/Logout__ OpenID flow (Javascript and Java Keycloak adapter) | |
| box "Frontend" #LightBlue | |
| participant Browser | |
| participant WebApplication | |
| end box | |
| box "Backend" #LightGreen | |
| participant Keycloak | |
| participant JBoss | |
| end box | |
| == Login == | |
| alt Not authentificated | |
| Browser -> WebApplication : request SPA | |
| activate WebApplication | |
| WebApplication -> WebApplication : check-sso | |
| WebApplication -> Browser : redirect to keycloak login page | |
| deactivate WebApplication | |
| Browser -> Keycloak : request login page | |
| note over Browser, Keycloak #lightsalmon | |
| GET:/auth/realms/myRealm/protocol/openid-connect/auth?client_id=myClient&redirect_uri=... | |
| end note | |
| Keycloak -> Browser : login page | |
| activate Keycloak | |
| Browser -> Keycloak : login | |
| note over Browser, Keycloak #lightsalmon | |
| POST:/auth/realms/myRealm/login-actions/authenticate?code=EJU0yvGC..&execution=e8ee2... | |
| username=... | |
| password=... | |
| login=Log+in | |
| end note | |
| Keycloak -> Browser: redirect SPA and authentification code (* life) | |
| deactivate Keycloak | |
| Browser -> WebApplication : request SPA | |
| note over Browser, Keycloak | |
| GET: /login?auth_callback=1&state=...&code=qO7UDCo11... | |
| end note | |
| activate WebApplication | |
| WebApplication -> WebApplication : check-sso | |
| WebApplication -> Keycloak : request access token | |
| deactivate WebApplication | |
| note over WebApplication, Keycloak #lightsalmon | |
| POST:/auth/realms/myRealm/protocol/openid-connect/token | |
| code:qO7UDCo11QxXGlmTx52KKbfCuEQ6qe9rNJmjJGAgCn8.... | |
| grant_type:authorization_code | |
| client_id:myClient | |
| redirect_uri:$JB/ | |
| end note | |
| Keycloak -> WebApplication: access token (bearer type, 3* life) + refresh token (refresh type, 6* life) | |
| note over WebApplication, Keycloak | |
| access_token:"..." | |
| expires_in:300 | |
| id_token:"..." | |
| not-before-policy:1504253098 | |
| refresh_expires_in:1800 | |
| refresh_token:"..." | |
| session_state:"06d7c627-d800-449e-b5fa-ea32ab2c7ce4" | |
| token_type:"bearer" | |
| end note | |
| end | |
| alt authentificated | |
| activate WebApplication | |
| WebApplication -> WebApplication : store bearer token | |
| WebApplication -> WebApplication : inject bearer token in the HEADER of HTTP request | |
| deactivate WebApplication | |
| == Nominal == | |
| loop x times | |
| WebApplication -> JBoss : request | |
| JBoss -> JBoss : verify signature | |
| JBoss -> WebApplication : response | |
| end | |
| == Logout == | |
| activate WebApplication | |
| WebApplication -> WebApplication : logout | |
| WebApplication -> Keycloak: logout | |
| deactivate WebApplication | |
| note over WebApplication, Keycloak #lightsalmon | |
| GET:/auth/realms/myRealm/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A3001%2F | |
| end note | |
| end | |
| alt Not authentificated | |
| Keycloak -> Browser : redirect | |
| Browser -> WebApplication : request SPA | |
| end | |
| @enduml | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @startuml | |
| autonumber | |
| title __Login/Logout__ OpenID flow (Javascript and Java Keycloak adapter) | |
| box "Frontend" #LightBlue | |
| participant Browser | |
| participant WebApplication | |
| end box | |
| box "Backend" #LightGreen | |
| participant Keycloak | |
| participant JBoss | |
| end box | |
| == Login == | |
| alt Not authentificated | |
| Browser -> WebApplication : request SPA | |
| activate WebApplication | |
| WebApplication -> WebApplication : check-sso | |
| WebApplication -> Browser : redirect to keycloak login page | |
| deactivate WebApplication | |
| Browser -> Keycloak : request login page | |
| note over Browser, Keycloak #lightsalmon | |
| GET:/auth/realms/myRealm/protocol/openid-connect/auth?client_id=myClient&redirect_uri=... | |
| end note | |
| Keycloak -> Browser : login page | |
| activate Keycloak | |
| Browser -> Keycloak : login | |
| note over Browser, Keycloak #lightsalmon | |
| POST:/auth/realms/myRealm/login-actions/authenticate?code=EJU0yvGC..&execution=e8ee2... | |
| username=... | |
| password=... | |
| login=Log+in | |
| end note | |
| Keycloak -> Browser: redirect SPA and authentification code (* life) | |
| deactivate Keycloak | |
| Browser -> WebApplication : request SPA | |
| note over Browser, Keycloak | |
| GET: /login?auth_callback=1&state=...&code=qO7UDCo11... | |
| end note | |
| activate WebApplication | |
| WebApplication -> WebApplication : check-sso | |
| WebApplication -> Keycloak : request access token | |
| deactivate WebApplication | |
| note over WebApplication, Keycloak #lightsalmon | |
| POST:/auth/realms/myRealm/protocol/openid-connect/token | |
| code:qO7UDCo11QxXGlmTx52KKbfCuEQ6qe9rNJmjJGAgCn8.... | |
| grant_type:authorization_code | |
| client_id:myClient | |
| redirect_uri:$JB/ | |
| end note | |
| Keycloak -> WebApplication: access token (bearer type, 3* life) + refresh token (refresh type, 6* life) | |
| note over WebApplication, Keycloak | |
| access_token:"..." | |
| expires_in:300 | |
| id_token:"..." | |
| not-before-policy:1504253098 | |
| refresh_expires_in:1800 | |
| refresh_token:"..." | |
| session_state:"06d7c627-d800-449e-b5fa-ea32ab2c7ce4" | |
| token_type:"bearer" | |
| end note | |
| end | |
| alt authentificated | |
| activate WebApplication | |
| WebApplication -> WebApplication : store bearer token | |
| WebApplication -> WebApplication : inject bearer token in the HEADER of HTTP request | |
| deactivate WebApplication | |
| == Nominal == | |
| loop x times | |
| WebApplication -> JBoss : request | |
| JBoss -> JBoss : verify signature | |
| JBoss -> WebApplication : response | |
| end | |
| == Logout == | |
| activate WebApplication | |
| WebApplication -> WebApplication : logout | |
| WebApplication -> Keycloak: logout | |
| deactivate WebApplication | |
| note over WebApplication, Keycloak #lightsalmon | |
| GET:/auth/realms/myRealm/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A3001%2F | |
| end note | |
| end | |
| alt Not authentificated | |
| Keycloak -> Browser : redirect | |
| Browser -> WebApplication : request SPA | |
| end | |
| @enduml | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment