ps
/
docs
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Правки по тексту 

Заменена ссылка here, добававлены подписи к будущим демо.
pull/1/head
Ашотян 2021-11-08 17:13:49 +03:00
parent 756734146c
commit 237caaef79
1 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
OpenID_Connect.md
View File

@ -18,7 +18,7 @@ It is important to note that the address of the Production server will be differ
To customize a web address of the oidc authorization server, for example, https://client.privacy.ru or https://client.ps.radium-it.ru you need to add a CNAME Record to the necessary domain`s DNS.
In addition, the system assumes a jwks_endpoint, provided by the oidc authorization server, from which public keys can be obtained to verify the signature of signed JWTs (https://staging.ps.radium-it.ru/.well-known/jwks.json).
All the necessary information regarding the configuration is available [here](https://ldapwiki.com/wiki/Openid-configuration).
All the necessary information regarding the configuration is available [here](https://openid.net/specs/openid-connect-core-1_0.html#RFC6749).
Futher, a more detailed mechanism of the system operation on the OpenID Connect protocol, examples of requests, data flows, etc will be presented.
We provide an opportunity to study our system and try out the work in the configuration of the described algorithm.
@ -54,7 +54,7 @@ The oidc authorization server receives cookies along with the request from the w
If the End-User has already been authorized, authorization_endpoint asks the database if the End-User's consent has been obtained for that website.
If consent for this site has not yet been given by the End-User, the oidc authorization server displays a Consent form with a list of all Scopes requested by the website, as well as a checkbox to confirm consent to the processing of personal data.
On the page the End-User sees a form to fill out the data and the following text **(В ИДЕАЛЕ ДОБАВИТЬ РИСУНОК С ДЕМО ВЕРСИЕЙ СТРАНИЧКИ/Рисунок 2)**:
On the page the End-User sees a form to fill out the data and the following text **(An example demo will be presented later, see Figure 2)**:
> The example.client.ru requests access to your data: ID, email
>
@ -64,6 +64,7 @@ On the page the End-User sees a form to fill out the data and the following text
>
> [Submit]
*Figure 2.*
As soon as the End-User clicks [Submit], Consent is written to the `sub+client_id+date+scope` database and the End-user is immediately redirected from the oidc authorization server back to the website he wanted to visit (see Figure 3).
@ -90,7 +91,7 @@ Let`s move on stage 2.
### Stage 2. Visiting Consent page & entering primary data
The oidc authorization server displays a Consent form listing all the Scopes requested by the website.
On the page the End-User sees a form to fill out the data and the following text **(В ИДЕАЛЕ ДОБАВИТЬ РИСУНОК С ДЕМО ВЕРСИЕЙ СТРАНИЧКИ/см. рисунок 2)**:
On the page the End-User sees a form to fill out the data and the following text **(An example demo will be presented later, Figure 4)**:
> The example.client.ru requests access to your data: ID, email.
>
@ -100,18 +101,24 @@ On the page the End-User sees a form to fill out the data and the following text
>
> | Enter your email |
*Figure 4.*
In addition to filling out the field for entering email, the End-User also ticks the checkbox, thereby confirming his consent to the processing of personal data.
After the End-User has entered the email into the form, put a tick in the checkbox and clicked [Submit], he sees a page with the following text **(В ИДЕАЛЕ ДОБАВИТЬ РИСУНОК С ДЕМО ВЕРСИЕЙ СТРАНИЧКИ/Рисунок 4)**:
After the End-User has entered the email into the form, put a tick in the checkbox and clicked [Submit], he sees a page with the following text **(An example demo will be presented later, Figure 5)**:
> Thank you for your submission, please check your email.
When the End-User clicks [Submit], a request is sent to the oidc authorization server to send a *magic link* to the End-User, whereupon the oidc authorization server sends an email containing a *magic link* and the following text to the specified email **(В ИДЕАЛЕ ДОБАВИТЬ РИСУНОК С ДЕМО ВЕРСИЕЙ СТРАНИЧКИ/Рисунок 5)**:
*Figure 5.*
When the End-User clicks [Submit], a request is sent to the oidc authorization server to send a *magic link* to the End-User, whereupon the oidc authorization server sends an email containing a *magic link* and the following text to the specified email **(An example demo will be presented later, Figure 6)**:
> If you want to access the website, follow the link below:
>
> *magic link*
*Figure 6.*
### Stage 3. Search for available user data
When the End-User follows the *magic link*, he is actually sending GET request on [*magic link*] to the oidc authorization server.
@ -121,12 +128,12 @@ When receiving GET request on [*magic link*], the oidc authorization server crea
Since one email is not enough to work correctly with the website, the oidc authorization server will try to request the known information about this End-User from third-party databases, for this the oidc authorization server sends a GET request on [*email*].
If a list of necessary End-User information is returned to the oidc authorization server from any database, then this data is saved in the User Info table and the End-User is redirected to the website address specified earlier in redirect_uri (see Figure 6).
If a list of necessary End-User information is returned to the oidc authorization server from any database, then this data is saved in the User Info table and the End-User is redirected to the website address specified earlier in redirect_uri (see Figure 7).
### Stage 4. Filling out the consent form
If the oidc authorization server has not received any response, after clicking on the *magic link* in the email, the End-User sees a Consent to Personal Data Processing form, which in addition to the pre-filled field with the previously entered email, also contains additional fields, for example: [first name], [last name], [place of employment], etc.
All data collected using this form is also saved to the User Info table (see Figure 6).
All data collected using this form is also saved to the User Info table (see Figure 7).
```mermaid
flowchart LR
@ -139,7 +146,7 @@ E[No]-->FC[/Full Consent/]
FC[/Full Consent/]-->UI[(User Info)]
```
*Figure 6. Data flow diagram for user data collection*
*Figure 7. Data flow diagram for user data collection*
### Stage 5. JWT generation & delivery
@ -150,14 +157,14 @@ HTTP/1.1 302 Redirect
Location: {redirect_uri}?id_token
```
The id_token (JWT) is a JSON file that contains the information needed for authentication and validation, and the website can extract various information from the JWT, such as ID, user name, time of login to the account, expiration date of the ID Token, the presence of tampering attempts in the JWT, for example, `sub+email+collected_data+signature`.
The id_token (JWT) is a JSON file that contains the information needed for authentication and validation, and the website can extract various information from the JWT, such as ID, user name, time of login to the account, expiration date of the ID Token, the presence of tampering attempts in the JWT, for example, `sub+email+collected_data+signature` (see Figure 8).
Signature contains the private key with which the oidc authorization server signs a particular JWT.
```mermaid
flowchart LR
OD[oidc]-->|JWT: sub+email+collected_data+signature|A[User]-->|JWT|B(Website)
```
*Figure 7. JWT delivery*
*Figure 8. JWT delivery*
The website must verify the signed JWT to proceed with the data.
To do this, it accesses the jwks_endpoint, from which it can obtain public keys to verify the JWT signature.
@ -170,5 +177,5 @@ The website can now use the id_token (JWT) to get the necessary information abou
1. The user must perform all actions in one browser = from one device.
Using multiple devices will prevent successful authorization.
2. In Stage 2, the user can be asked to enter not an email, but, for example, a phone number or both.
Then, at the next stages, it will be possible to choose the most convenient communication method when sending *magic link *.
Then, at the next stages, it will be possible to choose the most convenient communication method when sending *magic link*.
3. Cookies are currently stored on the oidc authorization server for 30 days, but this period may be extended if necessary.