|
|
|
The aim of the diagram is not to document each endpoint (this is the role of the swagger provided by the services).
|
|
|
|
|
|
|
|
It's goal is to have a global vision of the exchanges made between the Angular App (front) and the services, and among the services themselves for each functionality related to the authentication and the authorization.
|
|
|
|
|
|
|
|
```plantuml
|
|
|
|
|
|
|
|
!define BLACK #333745
|
|
|
|
!define RED #d5232a
|
|
|
|
!define GREEN #37A77C
|
|
|
|
|
|
|
|
' Base Setting
|
|
|
|
skinparam BackgroundColor transparent
|
|
|
|
|
|
|
|
skinparam Sequence {
|
|
|
|
ArrowThickness 1
|
|
|
|
ArrowColor RED
|
|
|
|
LifeLineBorderColor GREEN
|
|
|
|
ParticipantBorderThickness 1
|
|
|
|
}
|
|
|
|
skinparam Participant {
|
|
|
|
BackgroundColor #FFFFFF
|
|
|
|
BorderColor BLACK
|
|
|
|
FontColor BLACK
|
|
|
|
}
|
|
|
|
|
|
|
|
skinparam note {
|
|
|
|
BackgroundColor #FFFFFF
|
|
|
|
BorderColor BLACK
|
|
|
|
FontColor BLACK
|
|
|
|
}
|
|
|
|
|
|
|
|
participant "Front" as front
|
|
|
|
participant "Authentication Service" as auth
|
|
|
|
participant "Middleware Legacy Auth" as middle
|
|
|
|
participant "Legacy Auth (Neogeo)" as django
|
|
|
|
participant "Email Service" as email
|
|
|
|
participant "Kong" as kong
|
|
|
|
participant "OIDC Server" as oidc
|
|
|
|
|
|
|
|
group Authentication with OIDC providers
|
|
|
|
group Login
|
|
|
|
front -> auth : <b>GET</b> /login/:identityProvider
|
|
|
|
note over auth: Set redis key/value with Provider as value
|
|
|
|
front <-- auth : [302] redirection to the appropriate url
|
|
|
|
end
|
|
|
|
|
|
|
|
group Exchange token against JWT
|
|
|
|
front -> auth : <b>GET</b> /token
|
|
|
|
note over auth: Get redis value corresponding to the OIDC Provider
|
|
|
|
auth -> oidc : <b>POST</b> /token_endpoint
|
|
|
|
auth <-- oidc : { id_token, access_token }
|
|
|
|
auth -> oidc : <b>GET</b> /userInfo_endpoint
|
|
|
|
auth <-- oidc : { userInfo }
|
|
|
|
auth -> kong : <b>PUT</b> /consumers/:email
|
|
|
|
auth <-- kong : Ok
|
|
|
|
auth -> kong : <b>GET or POST</b> /consumers/:email/jwt (POST if no creadetials exist for this user)
|
|
|
|
auth <-- kong : { credentials }
|
|
|
|
front <-- auth: { token: jwt }
|
|
|
|
end
|
|
|
|
|
|
|
|
group Logout
|
|
|
|
front -> auth : <b>GET</b> /logout
|
|
|
|
front <-- auth : [302] redirection to the appropriate url
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
group Authentication with Django Server
|
|
|
|
group Get Public Key
|
|
|
|
front -> middle : <b>GET</b> /publicKey
|
|
|
|
front <-- middle : { publicKey }
|
|
|
|
end
|
|
|
|
|
|
|
|
group Legacy login
|
|
|
|
front -> auth : <b>POST</b> /login/legacy
|
|
|
|
auth -> middle : <b>POST</b> /user/login
|
|
|
|
middle -> django : <b>POST</b> /get_user/
|
|
|
|
middle <-- django : { userInfo }
|
|
|
|
middle --> auth : { userInfo with encrypted password as authzKey}
|
|
|
|
auth -> kong : <b>PUT</b> /consumers/:email
|
|
|
|
auth <-- kong : Ok
|
|
|
|
auth -> kong : <b>GET or POST</b> /consumers/:email/jwt (POST if no creadetials exist for this user)
|
|
|
|
auth <-- kong : { credentials }
|
|
|
|
front <-- auth : { token: jwt }
|
|
|
|
end
|
|
|
|
|
|
|
|
group Password forgotten
|
|
|
|
front -> middle : <b>POST</b> /passwordForgotten
|
|
|
|
note over middle: Set token in Redis with ttl 24h.
|
|
|
|
middle -> email : <b>POST</b> /email/send (body contains the link to the reset password form)
|
|
|
|
middle <-- email : void
|
|
|
|
front <-- middle : void
|
|
|
|
end
|
|
|
|
|
|
|
|
group Verify Password reset token validity
|
|
|
|
front -> middle : <b>GET</b> /isPasswordResetTokenValid
|
|
|
|
note over middle: Look for token in Redis.
|
|
|
|
front <-- middle : boolean
|
|
|
|
end
|
|
|
|
|
|
|
|
group Password reset
|
|
|
|
front -> middle : <b>PUT</b> /user/resetPassword
|
|
|
|
note over middle: Look for token in Redis.
|
|
|
|
middle -> django : <b>POST</b> /update_user_password/
|
|
|
|
middle <-- django
|
|
|
|
note over middle: Delete token from Redis.
|
|
|
|
front <-- auth : void
|
|
|
|
end
|
|
|
|
|
|
|
|
group Password update
|
|
|
|
front -> middle : <b>PUT</b> /user/updatePassword
|
|
|
|
middle -> django : <b>GET</b> /get_user/
|
|
|
|
middle <-- django : Ok
|
|
|
|
middle -> django : <b>PUT</b> /update_user_password/
|
|
|
|
middle <-- django : Ok
|
|
|
|
front <-- middle : void
|
|
|
|
end
|
|
|
|
|
|
|
|
group User update
|
|
|
|
front -> auth : <b>PUT</b> /user/update
|
|
|
|
auth -> middle : <b>PUT</b> /user/update
|
|
|
|
middle -> django : <b>POST</b> /update_user/
|
|
|
|
middle <-- django : Ok
|
|
|
|
middle -> django : <b>POST</b> /get_user/
|
|
|
|
middle <-- django : { userInfo }
|
|
|
|
auth <-- middle : { userInfo with encrypted password as authzKey}
|
|
|
|
auth -> kong : <b>PUT</b> /consumers/:email
|
|
|
|
auth <-- kong : Ok
|
|
|
|
auth -> kong : <b>GET or POST</b> /consumers/:email/jwt (POST if no creadetials exist for this user)
|
|
|
|
auth <-- kong : { credentials }
|
|
|
|
front <-- auth : { token: jwt }
|
|
|
|
end
|
|
|
|
|
|
|
|
group User Info
|
|
|
|
front -> auth : <b>GET</b> /user
|
|
|
|
auth -> middle : <b>GET</b> /user
|
|
|
|
middle -> django : <b>POST</b> /get_user/
|
|
|
|
middle <-- django : { userInfo }
|
|
|
|
auth <-- middle : { userInfo }
|
|
|
|
front <-- auth : { userInfo }
|
|
|
|
end
|
|
|
|
|
|
|
|
group User creation
|
|
|
|
front -> middle : <b>POST</b> /user
|
|
|
|
note over middle : Set token in redis with ttl 24h
|
|
|
|
middle -> email : email : <b>POST</b> /email/send (body contains account validation link)
|
|
|
|
middle <-- email : void
|
|
|
|
front <-- middle : void
|
|
|
|
end
|
|
|
|
|
|
|
|
group Validate User creation
|
|
|
|
front -> middle : <b>POST</b> /user/validateAccount
|
|
|
|
note over middle : Validate token existance in redis
|
|
|
|
middle -> django : <b>POST</b> /add_user/
|
|
|
|
middle <-- django : Ok
|
|
|
|
note over middle : Remove token from redis
|
|
|
|
front <-- middle : void
|
|
|
|
end
|
|
|
|
|
|
|
|
group User account deletion
|
|
|
|
front -> middle : <b>DELETE</b> /user
|
|
|
|
middle -> django : <b>POST</b> /delete_user/
|
|
|
|
middle <-- django : Ok
|
|
|
|
front <-- middle : void
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
group Authorization with Django server
|
|
|
|
group List User resources
|
|
|
|
front -> middle : <b>POST</b> /user/resources
|
|
|
|
middle -> django : <b>POST</b> /get_user_service/
|
|
|
|
middle <-- django : { rawRessources }
|
|
|
|
front <-- middle : { Ressources }
|
|
|
|
end
|
|
|
|
|
|
|
|
group Add User access to resource
|
|
|
|
front -> middle : <b>POST</b> user/resources/add
|
|
|
|
middle -> django : <b>GET</b> /get_services/ (only needed to add names in email)
|
|
|
|
middle <-- django : { datasets }
|
|
|
|
middle -> django : <b>GET</b> /get_modes/ (only needed to add names in email)
|
|
|
|
middle <-- django : { services }
|
|
|
|
loop n times (n different datasets requested)
|
|
|
|
middle -> django : <b>POST</b> /add_user_service/
|
|
|
|
middle <-- django : Ok
|
|
|
|
end
|
|
|
|
middle -> email : <b>POST</b> /email/send (Admin + User email)
|
|
|
|
middle <-- email : void
|
|
|
|
front <-- middle: { successfullyRequested, unsuccessfullyRequested }
|
|
|
|
end
|
|
|
|
|
|
|
|
group Renew User access to resource
|
|
|
|
front -> middle : <b>POST</b> user/resources/renew
|
|
|
|
middle -> django : <b>POST</b> /get_user_service/ (check if access as already been validated)
|
|
|
|
middle <-- django : { user Ressources }
|
|
|
|
middle -> django : <b>GET</b> /get_services/ (only needed to add names in email)
|
|
|
|
middle <-- django : { datasets }
|
|
|
|
middle -> django : <b>GET</b> /get_modes/ (only needed to add names in email)
|
|
|
|
middle <-- django : { services }
|
|
|
|
middle -> email : <b>POST</b> /email/send (Admin + User email)
|
|
|
|
middle <-- email : void
|
|
|
|
front <-- middle: { successfullyRenewalRequested, unsuccessfullyRenewalRequested }
|
|
|
|
end
|
|
|
|
|
|
|
|
group Delete User access to resource
|
|
|
|
front -> middle : <b>POST</b> user/resources/delete
|
|
|
|
middle -> django : <b>GET</b> /get_services/ (only needed to add names in email)
|
|
|
|
middle <-- django : { datasets }
|
|
|
|
middle -> django : <b>GET</b> /get_modes/ (only needed to add names in email)
|
|
|
|
middle <-- django : { services }
|
|
|
|
loop n times (n different datasets to be deleted)
|
|
|
|
middle -> django : <b>POST</b> /del_user_service/
|
|
|
|
middle <-- django : Ok
|
|
|
|
end
|
|
|
|
middle -> email : <b>POST</b> /email/send (Admin + User email)
|
|
|
|
middle <-- email : void
|
|
|
|
front <-- middle: { successfullyDeleted, unsuccessfullyDeleted }
|
|
|
|
end
|
|
|
|
|
|
|
|
group List of services (modes)
|
|
|
|
front -> middle : <b>GET</b> /services
|
|
|
|
middle -> django : <b>GET</b> /get_modes/
|
|
|
|
middle <-- django : { rawServices }
|
|
|
|
front <-- middle : { services }
|
|
|
|
end
|
|
|
|
|
|
|
|
group List of restricted access datasets
|
|
|
|
front -> middle : <b>GET</b> /restrictedAccessDatasets
|
|
|
|
middle -> django : <b>GET</b> /get_services/
|
|
|
|
middle <-- django : { datasets }
|
|
|
|
front <-- middle : { datsets with "RESTRICTED" access}
|
|
|
|
end
|
|
|
|
end
|
|
|
|
``` |
|
|
\ No newline at end of file |
