Security Architecture
OpenID flow
sequenceDiagram
autonumber
Client->>Server: GET /oauth
activate Server
Server-->>Client: Return providers
deactivate Server
alt Has default provider
Client->>OpenID provider: Open default provider authorization URL
else No default provider
Client->>Client: Choose provider
Client->>OpenID provider: Open chosen provider authorization URL
end
activate OpenID provider
OpenID provider->>OpenID provider: Login or SignUp flow
OpenID provider-->>Client: Return code
deactivate OpenID provider
activate Client
Client->>OpenID provider: Request token
deactivate Client
activate OpenID provider
OpenID provider-->>Client: Return token
deactivate OpenID provider
Client->>+Server: POST /auth
Server->>+OpenID provider: Validate token
OpenID provider-->>-Server: Return validation
Server->>Server: Create user if required
Server-->>-Client: Set auth cookies
activate Client
Client->>Client: Redirect to home
deactivate Client
Request filters
The first path that matches is the final authentication result. Any security module may throw exceptions that bypass this behavior, for example BadRequestException, RedirectException or UnauthorizedException.
API Key
GET | POST | PUT | DELETE /**
Arguments
| Name | Type | Is Required | Default Value |
|---|---|---|---|
| apiKey | Parameter | No | |
| X-API-Key | Header | No |
Given
- A valid hash of an API key.
- An user can be impersonated using the API key.
When
- The route is accessed.
Then
- Returns a WebSecurityAndToken with a private token that can impersonate the API key owner.
OAuth
GET /oauth/${providerName}
Arguments
| Name | Type | Is Required | Default Value |
|---|---|---|---|
| state | Parameter | Yes | |
| code | Parameter | Yes |
Action
- If the state is valid it will obtain the
auth tokenusing the specifiedcodeand then redirect the user to theredirectUrlspecified in the state parameter. The obtained token is registered with the web token service. - If the
stateorcodeare invalid it will throw aBadRequestException.
GET | POST | PUT | DELETE /**
| Name | Type | Is Required | Default Value |
|---|---|---|---|
| auth.strategy | Cookie | Yes | |
| auth._refresh_token.${providerName} | Cookie | Yes |
Given
- A provider that can handle the required strategy exists.
- The refresh token can be used to obtain a valid web token.
When
- The route is accessed.
Then
- The new token is obtained and registered with the web token service.
- Returns a WebSecurityAndToken.
Cookie
GET | POST | PUT | DELETE /**
| Name | Type | Is Required | Default Value |
|---|---|---|---|
| one.erp.rest.auth.token | Cookie | Yes | |
| one.erp.rest.locale | Cookie | No | RO |
Given
- A token that the web token service recognizes.
When
- The route is accessed.
Then
- The token can be refreshed if necessary.
- The token can be validated against the security service.
- Returns a WebSecurityAndToken.