Authentication Server

OAuth2 Authorization Code Flow

The applications pepAssessor and pepLogon use the Authorization Code Flow of OAuth2 (RFC6749) , with PKCE (RFC7636) to communicate with the authserver. This is described in the following sequence diagram:

sequenceDiagram box User device participant PEP Client participant Browser end participant Authserver participant Keyserver PEP Client->>PEP Client:Generate random Code Verifier <br />and Code Challenge = sha256(code verifier) PEP Client->>Browser:Open https://auth.example.com/auth?<br />client_id=123&redirect_uri=http://127.0.0.1:16515/&<br />code_challenge=<<code_challenge>>&code_challenge_method=S256<br />&response_type=code Browser->>Authserver:GET https://auth.example.com/auth?<br />client_id=123&redirect_uri=http://127.0.0.1:16515/&<br />code_challenge=<<code_challenge>>&code_challenge_method=S256&<br />&response_type=code Note over Browser, Authserver: Authorize the user, e.g. via SURFconext Authserver-->>Browser:Redirect to http://127.0.0.1:16515/?code=<<Authorization code>> Browser->>PEP Client:GET http://127.0.0.1:16515/?code=<<Authorization code>> PEP Client->>Authserver:<<Authorization code>><<Code Verifier>> Authserver->>Authserver:verify:<br />Code Challenge == sha256(Code Verifier) Authserver->>PEP Client:OAuth token containing:<br /><<subject>><<group>><<issued at>><<expires at>><<hmac>> Note over PEP Client, Keyserver: End of OAuth2 Authorization Code flow PEP Client->>PEP Client: Generate CSR containing<br /><<subject>><<group>>User PEP Client->>Keyserver: <<CSR>><<OAuth token>> Keyserver->>Keyserver: verify OAuth token hmac<br />sign certificate Keyserver->>PEP Client: <<certificate>>

This leaves out how the user is actually authenticated by the authserver. See How we use apache for more details about this.