Skip to content

Commit 83e1cc4

Browse files
committed
docs: Write admin explanations about authentication
1 parent 4f1755c commit 83e1cc4

6 files changed

Lines changed: 360 additions & 84 deletions

File tree

diracx-routers/src/diracx/routers/auth/authorize_code_flow.py

Lines changed: 1 addition & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,35 +1,6 @@
11
"""Authorization code flow.
22
3-
Client Application DIRAC Auth Service IAM (Identity Access Management)
4-
------------------ ------------------ --------------------------------
5-
| | |
6-
|---(A)--- Authorization Request ---->| |
7-
| |---(B)--- Authorization Request -------->|
8-
| | |
9-
| |<--(C)--- Authorization Grant -----------|
10-
| | |
11-
| |---(D)--- ID Token Request ------------->|
12-
| | |
13-
| |<--(E)--- ID Token ----------------------|
14-
|<--(F)--- Authorization Grant -------| |
15-
| | |
16-
|---(G)--- Access Token Request ----->| |
17-
| | |
18-
|<--(H)--- Access Token --------------| |
19-
| | |
20-
21-
22-
* (A) The flow is initiated by the client making a request to the DIRAC auth service (GET /authorize) with PKCE.
23-
* (B) The DIRAC auth service stores the request details and redirects the user to the IAM's authorization flow
24-
by performing an authorization request on behalf of the user.
25-
* (C) Once done, the IAM redirects the user back to the DIRAC auth service (GET /authorize/complete).
26-
* (D) The DIRAC auth service exchanges the code for an ID token by making a token request to the IAM.
27-
* (E) The IAM responds with an access, a refresh and an ID tokens.
28-
* (F) The DIRAC auth service only stores the ID token and redirects the user to the client's redirect URI.
29-
* (G) The client requests an access token from the DIRAC auth service by making a request to
30-
the token endpoint (POST /token).
31-
* (H) The DIRAC auth service responds with a DIRAC access token, based on the ID token.
32-
* The client can then use the access token to access the DIRAC services.
3+
See docs/admin/explanations/authentication.md
334
"""
345

356
from __future__ import annotations

diracx-routers/src/diracx/routers/auth/device_flow.py

Lines changed: 1 addition & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -1,55 +1,6 @@
11
"""Device flow.
22
3-
Client Device DIRAC Auth Service IAM (Identity Access Management)
4-
------------- ------------------ --------------------------------
5-
| | |
6-
|---(A)--- Device Authorization ----->| |
7-
| | |
8-
|<--(B)--- User Code, Device Code ----| |
9-
| | |
10-
User | | |
11-
-----|-------------------------------------|-----------------------------------------|
12-
| | |
13-
| (C) Enter User Code in Browser | |
14-
|------------------------------------>| |
15-
| |---(D)--- Authorization Request -------->|
16-
| | |
17-
| |<--(E)--- Authorization Grant -----------|
18-
| | |
19-
| |---(F)--- ID Token Request ------------->|
20-
| | |
21-
| |<--(G)--- ID Token ----------------------|
22-
| | |
23-
|<--(H)--- Device Grant --------------| |
24-
| | |
25-
-----|-------------------------------------|-----------------------------------------|
26-
| | |
27-
|---(I)--- Access Token Request ----->| |
28-
| | |
29-
|<--(J)--- Access Token --------------| |
30-
| | |
31-
32-
33-
* (A) The device flow is initiated by the client, which is typically a device with
34-
limited input capabilities (POST /device).
35-
* (B) The DIRAC auth service responds with a user code and a device code.
36-
* The client then displays the user code to the user and instructs the user to go to
37-
a verification URI on another device
38-
(e.g. a smartphone or computer) and enter the user code.
39-
* (C) The user then authenticates on the other device (GET /device).
40-
In the meantime, the client polls the DIRAC authorization server to check if the user has authorized the client.
41-
* (D) The DIRAC auth service stores the request details and redirects the user to the IAM's authorization flow
42-
by performing an authorization request on behalf of the user.
43-
* (E) Once done, the IAM redirects the user back to the DIRAC auth service (GET /device/complete).
44-
* (F) The DIRAC auth service exchanges the code for an ID token by making a
45-
token request to the IAM.
46-
* (G) The IAM responds with an access, a refresh and an ID tokens.
47-
* (H) The DIRAC auth service stores the ID token and redirects the user to
48-
the redirect URI (GET /device/complete/finished).
49-
* (I) The client requests an access token from the DIRAC auth service by making a request to
50-
the token endpoint (POST /token).
51-
* (J) The DIRAC auth service responds with a DIRAC access token, based on the ID token.
52-
* The client can then use the access token to access the DIRAC services.
3+
See docs/admin/explanations/authentication.md
534
"""
545

556
from __future__ import annotations

0 commit comments

Comments
 (0)