OpenID Flows

login.html

<!doctype html>
<html>
<head>
</head>
<body>
<div>
<form id="form3" action="http://192.168.1.21:8008/openid-connect-server-webapp/j_spring_security_check" method="POST">
<input type="text" name="j_username" value="admin" /><br/>
<input type="text" name="j_password" value="password" /><br/>
<input type="submit" value="進入系統" />
</form>
</div>
<iframe src="http://192.168.100.85:8080/DialysisQC/openid_connect_login" style="display:none">
</iframe>
</body>
</html>

Regular flow.md

Regular flow

請用 http://montypan.github.io/GYT/sequence.html 開啟下列語法

Browser -> RP  : GET/authorize
RP ->  Browser : 302 Redirect OP authz EP
Browser -> OP  : GET/<Provider>/authorize/endpoint
Note Right of OP : Check session, if session does not exist ...
OP -> Browser  : 302 Redirect login
Browser -> OP  : GET/<Provider>/login/endpoint
OP -> Browser  : 200 login page
Note over Browser,OP : User typing Account / Password
Browser -> OP  : POST Credentials/<Provider>/login/endpoint
OP -> Browser  : 200 Consent page
Note over Browser,OP : User Authorize Asking
Browser -> OP  : POST Consent/<Provider>/authz/endpoint
OP -> Browser  : 302 Redirect RP Callback
Browser -> RP  : GET/client/callback
RP -> OP : POST /<Provider>/token/endpoint
OP -> RP : 200 Response with tokens
RP ->  Browser : 200 Response with home page
RP -> OP : GET/<Provider>/user/info
OP -> RP : 200 Response 

refer link:

• [OpenID Connect flow] (https://docs.axway.com/u/documentation/api_gateway/7.5.1/webhelp_portal_oauth/Content/OAuthGuideTopics/OpenidImport/openid_flow.htm)
• Authorization code grant (or web server) flow

Questions:

• Client App's Login：登入完成後將不會有 Redirect 的行為
  • 在 login page 中藏一個 iframe 來改善
• Client App's Logout：登出 client app，重導到 client app 的 login page

• 如果 user 嘗試進入 client app 的受限資源時，會發現其實已經登入了，因為 login page 的背景行為

• Global Logout： 用一個 logout page 來分別進行 client app 與 OP 的 logout（session destroy）

通常操作流程.md

請用 http://mdaines.github.io/viz.js/ 載入下面這段 code：

digraph App {
	subgraph starter {
		start [label = "嘗試進入 Foo 網站的受限資源", shape = box3d];
	}

	subgraph normal {
	    check01 [label = "是否授權？", shape = diamond];
		loginPage [label = "登入畫面"];
		limitedPage [label = "受限資源頁面"];
		actInput [label = "輸入帳號密碼"];
		actOIDC [label = "選擇 OIDC"];
	    check02 [label = "check session", shape = diamond];
		actOIDC [label = "選擇 OIDC"];
		loginPageOIDC [label = "OIDC 登入畫面\n&\n輸入帳號密碼"];
	    check03 [label = "是否曾授權？", shape = diamond];
	    authzOIDC [label = "授權准許畫面"];
	    redriect [label = "Redirect"];
	    callBack [label = "CallBack"];
	    check04 [label = "RP 向 OP 驗證"];
        build [label = "產生 Client 端對 user 的授權"];

		{rank = same; actInput; actOIDC}
	}

	//////////////////////////////////////////////////////////////////

	start -> check01;
	check01 -> loginPage [label = "否"];
	check01 -> limitedPage [label = "是"];
	loginPage -> actInput
	loginPage -> actOIDC
	actInput -> build [label = "驗證完成"];
	actOIDC -> check02
	check02 -> loginPageOIDC [label = "Not Exist"];
	check02 -> check03 [label = "Exist"];
	loginPageOIDC -> check03 [label = "驗證完成"];
	check03 -> authzOIDC [label = "否"];
	check03 -> redriect [label = "是"];
	authzOIDC -> redriect [label = "准許"];
	redriect -> callBack [label = "authz code"];
	callBack -> check04 [label = "用 code 交換 ID Token, Access Token"];
	check04 -> build  [label = "驗證完成"];
	build -> limitedPage
}