Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
The aim of the diagram is not to document each endpoint (this is the role of the swagger provided by the services).
It's goal is to have a global vision of the exchanges made between the Angular App (front) and the services, and among the services themselves for each functionality related to the authentication and the authorization.
```plantuml
!define BLACK #333745
!define RED #d5232a
!define GREEN #37A77C
' Base Setting
skinparam BackgroundColor transparent
skinparam Sequence {
ArrowThickness 1
ArrowColor RED
LifeLineBorderColor GREEN
ParticipantBorderThickness 1
}
skinparam Participant {
BackgroundColor #FFFFFF
BorderColor BLACK
FontColor BLACK
}
skinparam note {
BackgroundColor #FFFFFF
BorderColor BLACK
FontColor BLACK
}
participant "Front" as front
participant "Authentication Service" as auth
participant "Middleware Legacy Auth" as middle
participant "Legacy Auth (Neogeo)" as django
participant "Email Service" as email
participant "Kong" as kong
participant "OIDC Server" as oidc
group Authentication with OIDC providers
group Login
front -> auth : <b>GET</b> /login/:identityProvider
note over auth: Set redis key/value with Provider as value
front <-- auth : [302] redirection to the appropriate url
end
group Exchange token against JWT
front -> auth : <b>GET</b> /token
note over auth: Get redis value corresponding to the OIDC Provider
auth -> oidc : <b>POST</b> /token_endpoint
auth <-- oidc : { id_token, access_token }
auth -> oidc : <b>GET</b> /userInfo_endpoint
auth <-- oidc : { userInfo }
auth -> kong : <b>PUT</b> /consumers/:email
auth <-- kong : Ok
auth -> kong : <b>GET or POST</b> /consumers/:email/jwt (POST if no creadetials exist for this user)
auth <-- kong : { credentials }
front <-- auth: { token: jwt }
end
group Logout
front -> auth : <b>GET</b> /logout
front <-- auth : [302] redirection to the appropriate url
end
end
group Authentication with Django Server
group Get Public Key
front -> middle : <b>GET</b> /publicKey
front <-- middle : { publicKey }
end
group Legacy login
front -> auth : <b>POST</b> /login/legacy
auth -> middle : <b>POST</b> /user/login
middle -> django : <b>POST</b> /get_user/
middle <-- django : { userInfo }
middle --> auth : { userInfo with encrypted password as authzKey}
auth -> kong : <b>PUT</b> /consumers/:email
auth <-- kong : Ok
auth -> kong : <b>GET or POST</b> /consumers/:email/jwt (POST if no creadetials exist for this user)
auth <-- kong : { credentials }
front <-- auth : { token: jwt }
end
group Password forgotten
front -> middle : <b>POST</b> /passwordForgotten
note over middle: Set token in Redis with ttl 24h.
middle -> email : <b>POST</b> /email/send (body contains the link to the reset password form)
middle <-- email : void
front <-- middle : void
end
group Verify Password reset token validity
front -> middle : <b>GET</b> /isPasswordResetTokenValid
note over middle: Look for token in Redis.
front <-- middle : boolean
end
group Password reset
front -> middle : <b>PUT</b> /user/resetPassword
note over middle: Look for token in Redis.
middle -> django : <b>POST</b> /update_user_password/
middle <-- django
note over middle: Delete token from Redis.
front <-- auth : void
end
group Password update
front -> middle : <b>PUT</b> /user/updatePassword
middle -> django : <b>GET</b> /get_user/
middle <-- django : Ok
middle -> django : <b>PUT</b> /update_user_password/
middle <-- django : Ok
front <-- middle : void
end
group User update
front -> auth : <b>PUT</b> /user/update
auth -> middle : <b>PUT</b> /user/update
middle -> django : <b>POST</b> /update_user/
middle <-- django : Ok
middle -> django : <b>POST</b> /get_user/
middle <-- django : { userInfo }
auth <-- middle : { userInfo with encrypted password as authzKey}
auth -> kong : <b>PUT</b> /consumers/:email
auth <-- kong : Ok
auth -> kong : <b>GET or POST</b> /consumers/:email/jwt (POST if no creadetials exist for this user)
auth <-- kong : { credentials }
front <-- auth : { token: jwt }
end
group User Info
front -> auth : <b>GET</b> /user
auth -> middle : <b>GET</b> /user
middle -> django : <b>POST</b> /get_user/
middle <-- django : { userInfo }
auth <-- middle : { userInfo }
front <-- auth : { userInfo }
end
group User creation
front -> middle : <b>POST</b> /user
note over middle : Set token in redis with ttl 24h
middle -> email : email : <b>POST</b> /email/send (body contains account validation link)
middle <-- email : void
front <-- middle : void
end
group Validate User creation
front -> middle : <b>POST</b> /user/validateAccount
note over middle : Validate token existance in redis
middle -> django : <b>POST</b> /add_user/
middle <-- django : Ok
note over middle : Remove token from redis
front <-- middle : void
end
group User account deletion
front -> middle : <b>DELETE</b> /user
middle -> django : <b>POST</b> /delete_user/
middle <-- django : Ok
front <-- middle : void
end
end
group Authorization with Django server
group List User resources
front -> middle : <b>POST</b> /user/resources
middle -> django : <b>POST</b> /get_user_service/
middle <-- django : { rawRessources }
front <-- middle : { Ressources }
end
group Add User access to resource
front -> middle : <b>POST</b> user/resources/add
middle -> django : <b>GET</b> /get_services/ (only needed to add names in email)
middle <-- django : { datasets }
middle -> django : <b>GET</b> /get_modes/ (only needed to add names in email)
middle <-- django : { services }
loop n times (n different datasets requested)
middle -> django : <b>POST</b> /add_user_service/
middle <-- django : Ok
end
middle -> email : <b>POST</b> /email/send (Admin + User email)
middle <-- email : void
front <-- middle: { successfullyRequested, unsuccessfullyRequested }
end
group Renew User access to resource
front -> middle : <b>POST</b> user/resources/renew
middle -> django : <b>POST</b> /get_user_service/ (check if access as already been validated)
middle <-- django : { user Ressources }
middle -> django : <b>GET</b> /get_services/ (only needed to add names in email)
middle <-- django : { datasets }
middle -> django : <b>GET</b> /get_modes/ (only needed to add names in email)
middle <-- django : { services }
middle -> email : <b>POST</b> /email/send (Admin + User email)
middle <-- email : void
front <-- middle: { successfullyRenewalRequested, unsuccessfullyRenewalRequested }
end
group Delete User access to resource
front -> middle : <b>POST</b> user/resources/delete
middle -> django : <b>GET</b> /get_services/ (only needed to add names in email)
middle <-- django : { datasets }
middle -> django : <b>GET</b> /get_modes/ (only needed to add names in email)
middle <-- django : { services }
loop n times (n different datasets to be deleted)
middle -> django : <b>POST</b> /del_user_service/
middle <-- django : Ok
end
middle -> email : <b>POST</b> /email/send (Admin + User email)
middle <-- email : void
front <-- middle: { successfullyDeleted, unsuccessfullyDeleted }
end
group List of services (modes)
front -> middle : <b>GET</b> /services
middle -> django : <b>GET</b> /get_modes/
middle <-- django : { rawServices }
front <-- middle : { services }
end
group List of restricted access datasets
front -> middle : <b>GET</b> /restrictedAccessDatasets
middle -> django : <b>GET</b> /get_services/
middle <-- django : { datasets }
front <-- middle : { datsets with "RESTRICTED" access}
end
end
```