|
1 | 1 | """Device flow. |
2 | 2 |
|
3 | | -Client Device DIRAC Auth Service IAM (Identity Access Management) |
4 | | -------------- ------------------ -------------------------------- |
5 | | - | | | |
6 | | - |---(A)--- Device Authorization ----->| | |
7 | | - | | | |
8 | | - |<--(B)--- User Code, Device Code ----| | |
9 | | - | | | |
10 | | -User | | | |
11 | | ------|-------------------------------------|-----------------------------------------| |
12 | | - | | | |
13 | | - | (C) Enter User Code in Browser | | |
14 | | - |------------------------------------>| | |
15 | | - | |---(D)--- Authorization Request -------->| |
16 | | - | | | |
17 | | - | |<--(E)--- Authorization Grant -----------| |
18 | | - | | | |
19 | | - | |---(F)--- ID Token Request ------------->| |
20 | | - | | | |
21 | | - | |<--(G)--- ID Token ----------------------| |
22 | | - | | | |
23 | | - |<--(H)--- Device Grant --------------| | |
24 | | - | | | |
25 | | ------|-------------------------------------|-----------------------------------------| |
26 | | - | | | |
27 | | - |---(I)--- Access Token Request ----->| | |
28 | | - | | | |
29 | | - |<--(J)--- Access Token --------------| | |
30 | | - | | | |
31 | | -
|
32 | | -
|
33 | | -* (A) The device flow is initiated by the client, which is typically a device with |
34 | | -limited input capabilities (POST /device). |
35 | | -* (B) The DIRAC auth service responds with a user code and a device code. |
36 | | -* The client then displays the user code to the user and instructs the user to go to |
37 | | -a verification URI on another device |
38 | | -(e.g. a smartphone or computer) and enter the user code. |
39 | | -* (C) The user then authenticates on the other device (GET /device). |
40 | | -In the meantime, the client polls the DIRAC authorization server to check if the user has authorized the client. |
41 | | -* (D) The DIRAC auth service stores the request details and redirects the user to the IAM's authorization flow |
42 | | -by performing an authorization request on behalf of the user. |
43 | | -* (E) Once done, the IAM redirects the user back to the DIRAC auth service (GET /device/complete). |
44 | | -* (F) The DIRAC auth service exchanges the code for an ID token by making a |
45 | | -token request to the IAM. |
46 | | -* (G) The IAM responds with an access, a refresh and an ID tokens. |
47 | | -* (H) The DIRAC auth service stores the ID token and redirects the user to |
48 | | -the redirect URI (GET /device/complete/finished). |
49 | | -* (I) The client requests an access token from the DIRAC auth service by making a request to |
50 | | -the token endpoint (POST /token). |
51 | | -* (J) The DIRAC auth service responds with a DIRAC access token, based on the ID token. |
52 | | -* The client can then use the access token to access the DIRAC services. |
| 3 | +See docs/admin/explanations/authentication.md |
53 | 4 | """ |
54 | 5 |
|
55 | 6 | from __future__ import annotations |
|
0 commit comments