doc/sequenceDiagram.txt
title Handling Challenge
User->+Hydra: OAuth2 token request
Hydra-->-User: Redirect to IdP
User->+IdP: GET /login?challenge=...
IdP-->-User: Login page
User->+IdP: POST /login?challenge=...
note right of IdP
Check credentials
(eg. Basic Auth etc.)
end note
note right of IdP
Create the Challenge.
It consists:
- User ID
- Requested scopes
- Who requests access
- Expiration
- Redirection URL
end note
IdP->Store: Save the Challenge
IdP-->User: Challenge ID cookie
IdP-->-User: Redirect to IdP
note right of User
Challenge ID is in the cookie.
No query parameters used
from now on.
end note
User->+IdP: GET /consent + COOKIE
IdP->Store: Get Challenge with ID
Store-->IdP: Challenge
note right of IdP
Ask user if he grants
requested scopes to
the Client.
Scopes and ClientID
are in the Challenge
end note
IdP-->-User: Consent page
User->+IdP: POST /consent + COOKIE + ANSWER
IdP->Store: Get Challenge with ID
Store->IdP: Challenge
note right of IdP
Create consent JWT.
It contains users ANSWER.
end note
IdP->Store: Delete
IdP-->-User: Redirect to Hydra
User->+Hydra: GET /hydra?consent=...
note right of Hydra
Verify consent JWT and
apply users answer
end note
Hydra-->-User: Tokens or Error