Skip to content

OAuth code Flow Sequence Diagram

Jürgen Weigert edited this page Feb 26, 2020 · 6 revisions

Sequence Diagram

@startuml
actor Alice
participant Client
participant OS
participant Browser
participant ownCloud
participant IDP
Alice -> Client: login
Client -> ownCloud: GET https://.../status.php
Client <-- ownCloud: 200 OK
Client -> ownCloud: PROPFIND https://.../webdav
ownCloud --> Client: 401 Unauthorized with Response Header "WWW-Authenticate: Bearer realm="ownCloud"" (and other WWW-Authenticate mechanisms, if available)
alt Bearer auth available
Client -> Client: listen on http://localhost:61113
Client -> OS: open in browser\nhttps://.../apps/oauth2/authorize?\nresponse_type=code&\nclient_id=<someid>&\nredirect_uri=http://localhost:61113
OS -> Browser: open \nhttps://.../apps/oauth2/authorize?\nresponse_type=code&\nclient_id=<someid>&\nredirect_uri=http://localhost:61113
Browser -> ownCloud: GET\nhttps://.../apps/oauth2/authorize?\nresponse_type=code&\nclient_id=<someid>&\nredirect_uri=http://localhost:61113
ownCloud --> Browser: Redirect to Login
Browser -> ownCloud: GET \nhttps://.../login
ownCloud --> Browser: Redirect to IDP
Browser -> IDP: GET \nhttps://idp.tld/...
IDP --> Browser: Redirect back to ownCloud
Browser -> ownCloud: GET \nhttps://.../login
ownCloud --> Browser: Redirect to original Authorize URL
Browser -> ownCloud: GET\nhttps://.../apps/oauth2/authorize?\nresponse_type=code&\nclient_id=<someid>&\nredirect_uri=http://localhost:61113
ownCloud --> Browser: The “Desktop Client“ application would like permission to access your account
Alice -> Browser: click “Authorize“
Browser -> ownCloud: POST\nhttps://.../apps/oauth2/authorize?\nresponse_type=code&\nclient_id=<someid>&redirect_uri=http://localhost:61113
ownCloud --> Browser: Redirect http://localhost:61113?\ncode=b8jQreTvhv...
Browser -> Client: GET http://localhost:61113?\ncode=b8jQreTvhv...
Client -> ownCloud: POST\nhttps://.../apps/oauth2/api/v1/token
ownCloud --> Client: 200 OK - {"access_token":"UyP6InfhUe...
Client --> Browser: Redirect to https://.../apps/oauth2/authorization-successful
Browser -> ownCloud: GET\nhttps://.../apps/oauth2/authorization-successful
ownCloud --> Browser: 200 OK
Client -> ownCloud: PROPFIND https://.../webdav/\nAuthorization: Bearer UyP6InfhUed58Gy....
ownCloud --> Client: 207 Multi-Status
else fall back to Basic auth (or another auth mechanism)
Client -> ownCloud: PROPFIND https://.../webdav/\nAuthorization: Basic ....
ownCloud --> Client: 207 Multi-Status
end
@enduml

to edit go to PlantUML

CAUTION: This protocol relies on Location: headers being passed on verbatim. Third party network components may unexpectedly rewrite HTTP to HTTPS in Location headers. Such behaviour is encouraged by the widely present 'Upgrade-Insecure-Response: 1' header. Such behaviour breaks the OAuth protocol.

Clone this wiki locally