請用 http://montypan.github.io/GYT/sequence.html 開啟下列語法
Browser -> RP : GET/authorize
RP -> Browser : 302 Redirect OP authz EP
Browser -> OP : GET/<Provider>/authorize/endpoint
Note Right of OP : Check session, if session does not exist ...
OP -> Browser : 302 Redirect login
Browser -> OP : GET/<Provider>/login/endpoint
OP -> Browser : 200 login page
Note over Browser,OP : User typing Account / Password
Browser -> OP : POST Credentials/<Provider>/login/endpoint
OP -> Browser : 200 Consent page
Note over Browser,OP : User Authorize Asking
Browser -> OP : POST Consent/<Provider>/authz/endpoint
OP -> Browser : 302 Redirect RP Callback
Browser -> RP : GET/client/callback
RP -> OP : POST /<Provider>/token/endpoint
OP -> RP : 200 Response with tokens
RP -> Browser : 200 Response with home page
RP -> OP : GET/<Provider>/user/info
OP -> RP : 200 Response
refer link:
- [OpenID Connect flow] (https://docs.axway.com/u/documentation/api_gateway/7.5.1/webhelp_portal_oauth/Content/OAuthGuideTopics/OpenidImport/openid_flow.htm)
- Authorization code grant (or web server) flow
Questions:
- Client App's Login:登入完成後將不會有 Redirect 的行為
- 在 login page 中藏一個 iframe 來改善
- Client App's Logout:登出 client app,重導到 client app 的 login page
- 如果 user 嘗試進入 client app 的受限資源時,會發現其實已經登入了,因為 login page 的背景行為
- Global Logout: 用一個 logout page 來分別進行 client app 與 OP 的 logout(session destroy)