Pulse can be configured to delegate Pulse configures Spring to authenticate the user by delegating authentication to an OpenID Connect Provider (OP).
Authenticating with OpenID Connect
Pulse uses the configured OpenID Connect Provider (OP) to authenticate the user and to obtain the user's permission to access their cluster via JMX.
| PlantUML |
|---|
| title | Pulse Authenticates with OpenID Connect Provider (OP) |
|---|
|
@startuml
title Pulse Authenticates with OpenID Connect Provider (OP)
participant User as user
participant Browser as browser
participant "Pulse (Spring)" as spring
participant OP as op
user -> browser +: /<protected-uri>
browser -> spring +: /<protected-uri>
return redirect: /login
browser -> spring +: /login
note right spring
Spring generates this /login
page to handle all interaction
with the configured OP
end note
return Button: "Log in with OP"
return Button: "Log in with OP"
user -> browser +: click OP button
browser -> op +: /authorize
note right
Request includes:
- client id
- list of requested scopes
- redirect-uri
- Spring session identifier
- other details
end note
return OP login form
return OP login form
user -> browser +: Credentials
browser -> op +: POST Credentials
return Authorization form for Pulse
note right
Authorization form includes
checkboxes for the scopes
defined in the OP's Pulse client
end note
return Checkboxes
user -> browser +: Select scopes
browser -> op +: POST Scope selection
return redirect: /<redirect-uri>
note right
Redirect URI includes:
- grant code
- Spring session identifier
- other details
end note
browser -> spring +: /<redirect-uri>
spring -> op +: POST /token
note right
Backchannel request
(NOT via browser):
- client id
- client secret
- grant code
- other details
end note
return idToken,\naccessToken,\nrefreshToken
note right spring
Spring saves the tokens
in the current session
end note
return redirect: /clusterDetail
browser -> spring +: /clusterDetail
return Cluster detail HTML
return Cluster detail Page
@enduml
|
Authorizing With Access Tokens
During authentication, Pulse requests an access token along with the ID token. Internally, Pulse uses the access token to connect to log into the Geode cluster's JMX manager.
| PlantUML |
|---|
| title | Pulse Connects to Geode JMX with the User's Access Token |
|---|
|
@startuml
title Pulse Connects to Geode JMX with the User's Access Token
participant "Pulse Page\nJavascript" as page
participant "Pulse\nController" as pulse
participant Repository as repository
participant Spring as spring
participant Cluster as cluster
participant "Geode JMX" as jmx
participant "Custom\nSecurity\nManager" as sm
page -> pulse +: /<some-data-url>
pulse -> repository +: getCluster()
repository -> spring +: get authenticated user details
return sub, accessToken, refreshToken
repository -> repository : clusterMap.get(sub)
alt if no cluster for current user (sub)
repository -> cluster *:new
repository -> cluster +: connect(accessToken)
cluster -> jmx +: connect(accessToken)
note over jmx
Omitted: Details of how Geode JMX
routes connection requests to the
custom security manager
end note
jmx -> sm +: authenticate(accessToken)
note over sm
Security manager:
- Decides whether to authenticate.
- May use information from the access
token.
- May send the access token to the OP
to request information about user.
- May cache the access token or other
information about the user.
- Creates a "principal" that represents
the authenticated user.
end note
return principal
return connection
return
repository -> repository : clusterMap.put(sub, cluster)
end
return cluster
pulse -> cluster +: get data
cluster -> jmx +: get data
jmx -> sm +: authorize(principal, operation)
note over sm
Security manager decides whether
to authorize the principal to
perform the operation.
end note
return true
return data
return data
return data
@enduml
|
Refreshing Expired Access Tokens
If the OP issues a refresh token, Pulse attempts to refresh the user's access token when it expires.
| PlantUML |
|---|
| title | Pulse Refreshes an Expired Access Token and Reconnects to Geode JMX |
|---|
|
@startuml
title Pulse Refreshes an Expired Access Token and Reconnects to Geode JMX
participant "Pulse Page\nJavascript" as page
participant "Pulse\nController" as pulse
participant Repository as repository
participant Spring as spring
participant Cluster as cluster
participant OP as op
participant "Geode JMX" as jmx
participant "Custom\nSecurity\nManager" as sm
page -> pulse +: /<some-data-url>
pulse -> repository +: getCluster()
repository -> spring +: get authenticated user details
return sub, accessToken, refreshToken
alt if accessToken has expired but refreshToken has not expired
repository -> op +: refresh(accessToken, refreshToken)
return newAccessToken, newRefreshToken
repository -> spring : save newAccessToken, newRefreshToken
repository -> repository : clusterMap.get(sub)
repository -> cluster +: disconnect
cluster -> jmx +: disconnect
return
return
repository -> cluster +:connect(newAccessToken)
cluster -> jmx +:connect(newAccessToken)
jmx -> sm +: authenticate(newAccessToken)
return principal
return connection
return
end
return cluster
pulse -> cluster +: get data
cluster -> jmx +: get data
jmx -> sm +: authorize(principal, operation)
return true
return data
return data
return data
@enduml
|
Automatic Disconnect and Logout When Unable to Refresh
If there is no refresh token, or if the refresh token has expired, or if the OP declines to refresh the expired access token, Pulse disconnects from the JMX manager and logs the user out of the Pulse browser session.
This diagram shows only the "expired refresh token" scenario, but the flow is very similar if the refresh token is missing or the OP declines the refresh request.
| PlantUML |
|---|
| title | Pulse Disconnects from Geode JMX When the User's Refresh Token Expires |
|---|
|
@startuml
title Pulse Disconnects from Geode JMX When the User's Refresh Token Expires
participant Browser as browser
participant "Pulse Page\nJavascript" as page
participant "Pulse\nController" as pulse
participant Repository as repository
participant Spring as spring
participant Cluster as cluster
participant "Geode JMX" as jmx
browser -> page +: /clusterDetail
page -> pulse +: /<some-data-url>
pulse -> repository +: getCluster()
repository --> spring +: get authenticated user details
return sub, accessToken, refreshToken
alt if accessToken and refreshToken have both expired
repository -> repository : clusterMap.get(sub)
repository -> cluster +: disconnect
cluster -> jmx +: disconnect
return
return
repository -> repository : clusterMap.remove(sub)
end
return authentication exception
return "UNAUTHORIZED"
return redirect: /<logout-page>
note right browser
Spring:
- Logs user out of browser session
- Redirects to "end of session" URL
end note
@enduml
|