- User initializes authentication and authorization flow.
- Client sends auth request, response_type=code. PKCE1
GET/authorize - Request is verified by IAM-service.
- IAM-service responds, providing login context.
- User enters login credentials.
- Client sends login user's login credentials to IAM-service.
POST/authorize - IAM-service verifies login credentials and responds with scope data for user.
- Client received available scopes / permissions and presents consent screen to user.
- Selects scope for this auth action and confirm.
- Client sends back list of approved scopes.
POST/consent - Approved scopes are evaluated and authorization code is issued.
- Client is redirected to Callback URL handing over code.
- Resource server sends code to IAM-service. PKCE2
POST/token - IAM-service issues tokens and sends back access_token and refresh_token.
- access_token and refresh_token are forwarded to client.
- Login flow is finished.
- Token Verification process, back channel.
- Access resources using issued access_token.
- Refresh Tokens flow.
- PKCE1 - Client sends Authorization Request with code_challenge and code_challenge_method as specified in RFC7636.
- PKCE2 - Authorization Code is send together with original code_verifier RFC7636.
- Init login flow using web browser.
curl --location --request GET 'http://localhost:8080/services/oauth2/{organization-id}/{project-id}/authorize?response_type=code&state={state}&client_id={client-id}&client_secret={client-secret}&scope=&redirect_uri={redirect-uri}'
| Name | Value |
|---|---|
| Grant Type | Authorization Code (With PKCE**) |
| Callback URL | http://localhost:8080/services/oauth2/iam-admins/iam-admins/redirect |
| Auth URL | http://localhost:8080/services/oauth2/iam-admins/iam-admins/authorize |
| Access Token URL | http://localhost:8080/services/oauth2/iam-admins/iam-admins/token |
| Client ID | admin-client |
| Client Secret | top-secret |
| Code Challenge Method ** | SHA-256 or Plain |
| Code Verifier ** | |
| Scope | "" |
| State |
** Only for flow with PKCE
