Authenticating with OpenID Connect
Pulse configures Spring to authenticate the user by delegating authentication to an OpenID Connect Provider (OP).
PlantUML | ||
---|---|---|
| ||
@startuml title Pulse Authenticates with OpenID Connect Provider (OP) participant User as user participant Browser as browser participant "Pulse (Spring)" as spring participant OP as op user -> browser +: /<protected-uri> browser -> spring +: /<protected-uri> return redirect: /login browser -> spring +: /login note right spring Spring generates this /login page to handle all interaction with the configured OP end note return Button: "Log in with OP" return Button: "Log in with OP" user -> browser +: click OP button browser -> op +: /authorize note right Request includes: - client id - list of requested scopes - redirect-uri - Spring session identifier - other details end note return OP login form return OP login form user -> browser +: Credentials browser -> op +: POST Credentials return Authorization form for Pulse note right Authorization form includes checkboxes for the scopes defined in the OP's Pulse client end note return Checkboxes user -> browser +: Select scopes browser -> op +: POST Scope selection return redirect: /<redirect-uri> note right Redirect URI includes: - grant code - Spring session identifier - other details end note browser -> spring +: /<redirect-uri> spring -> op +: POST /token note right Backchannel request (NOT via browser): - client id - client secret - grant code - other details end note return idToken,\naccessToken,\nrefreshToken note right spring Spring saves the tokens in the current session end note return redirect: /clusterDetail browser -> spring +: /clusterDetail return Cluster detail HTML return Cluster detail Page @enduml |
Authorizing With Access Tokens
During authentication, Pulse requests an access token along with the ID token. Internally, Pulse uses the access token to log into connect to the Geode cluster's JMX manager.
PlantUML | ||
---|---|---|
| ||
@startuml
title Pulse Connects to Geode JMX with the User's Access Token
participant "Pulse Page\nJavascript" as page
participant "Pulse\nController" as pulse
participant Repository as repository
participant Spring as spring
participant Cluster as cluster
participant "Geode JMX" as jmx
participant "Custom\nSecurity\nManager" as sm
page -> pulse +: /<some-data-url>
pulse -> repository +: getCluster()
repository -> spring +: get authenticated user details
return sub, accessToken, refreshToken
repository -> repository : clusterMap.get(sub)
alt if no cluster for current user (sub)
repository -> cluster *:new
repository -> cluster +: connect(accessToken)
cluster -> jmx +: connect(accessToken)
note over jmx
Omitted: Details of how Geode JMX
routes connection requests to the
custom security manager
end note
jmx -> sm +: authenticate(accessToken)
note over sm
Security manager:
- Decides whether to authenticate.
- May use information from the access
token.
- May send the access token to the OP
to request information about user.
- May cache the access token or other
information about the user.
- Creates a "principal" that represents
the authenticated user.
end note
return principal
return connection
return
repository -> repository : clusterMap.put(sub, cluster)
end
return cluster
pulse -> cluster +: get data
cluster -> jmx +: get data
jmx -> sm +: authorize(principal, operation)
note over sm
Security manager decides whether
to authorize the principal to
perform the operation.
end note
return true
return data
return data
return data
@enduml
|
Refreshing Expired Access Tokens
If the OP issues a refresh token, Pulse attempts to refresh the user's access token when it expires.
Automatic Disconnect and Logout When Unable to Refresh
If there is no refresh token, or if the refresh token has expired, or if the OP declines to refresh the expired access token, Pulse disconnects from the JMX manager and logs the user out of the Pulse browser session.