Skip to content

Authentication Server

OAuth2 Authorization Code Flow

The applications pepAssessor and pepLogon use the Authorization Code Flow of OAuth2 (RFC6749) , with PKCE (RFC7636) to communicate with the authserver. This is described in the following sequence diagram:

sequenceDiagram
    box User device
        participant PEP Client
        participant Browser
    end
    participant Authserver
    participant Keyserver

    PEP Client->>PEP Client:Generate random Code Verifier <br />and Code Challenge = sha256(code verifier)

    PEP Client->>Browser:Open https://auth.example.com/auth?<br />client_id=123&redirect_uri=http://127.0.0.1:16515/&<br />code_challenge=<<code_challenge>>&code_challenge_method=S256<br />&response_type=code

    Browser->>Authserver:GET https://auth.example.com/auth?<br />client_id=123&redirect_uri=http://127.0.0.1:16515/&<br />code_challenge=<<code_challenge>>&code_challenge_method=S256&<br />&response_type=code

    Note over Browser, Authserver: Authorize the user, e.g. via SURFconext

    Authserver-->>Browser:Redirect to http://127.0.0.1:16515/?code=<<Authorization code>>
    Browser->>PEP Client:GET http://127.0.0.1:16515/?code=<<Authorization code>>

    PEP Client->>Authserver:<<Authorization code>><<Code Verifier>>
    Authserver->>Authserver:verify:<br />Code Challenge == sha256(Code Verifier)
    Authserver->>PEP Client:OAuth token containing:<br /><<subject>><<group>><<issued at>><<expires at>><<hmac>>

    Note over PEP Client, Keyserver: End of OAuth2 Authorization Code flow

    PEP Client->>PEP Client: Generate CSR containing<br /><<subject>><<group>>User

    PEP Client->>Keyserver: <<CSR>><<OAuth token>>

    Keyserver->>Keyserver: verify OAuth token hmac<br />sign certificate
    Keyserver->>PEP Client: <<certificate>>

This leaves out how the user is actually authenticated by the authserver. See How we use apache for more details about this.