THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Pulse can be configured to delegate authentication to an OpenID Connect Provider (OP).
Authenticating with OpenID Connect
Pulse configures Spring to authenticate the user by delegating authentication to an uses the configured OpenID Connect Provider (OP) to authenticate the user and to obtain the user's permission to access their cluster via JMX.
| PlantUML | ||
|---|---|---|
| ||
@startuml title Pulse Authenticates with OpenID Connect Provider (OP) participant User as user participant Browser as browser participant "Pulse (Spring)" as spring participant OP as op user -> browser +: /<protected-uri> browser -> spring +: /<protected-uri> return redirect: /login browser -> spring +: /login note right spring Spring generates this /login page to handle all interaction with the configured OP end note return Button: "Log in with OP" return Button: "Log in with OP" user -> browser +: click OP button browser -> op +: /authorize note right Request includes: - client id - list of requested scopes - redirect-uri - Spring session identifier - other details end note return OP login form return OP login form user -> browser +: Credentials browser -> op +: POST Credentials return Authorization form for Pulse note right Authorization form includes checkboxes for the scopes defined in the OP's Pulse client end note return Checkboxes user -> browser +: Select scopes browser -> op +: POST Scope selection return redirect: /<redirect-uri> note right Redirect URI includes: - grant code - Spring session identifier - other details end note browser -> spring +: /<redirect-uri> spring -> op +: POST /token note right Backchannel request (NOT via browser): - client id - client secret - grant code - other details end note return idToken,\naccessToken,\nrefreshToken note right spring Spring saves the tokens in the current session end note return redirect: /clusterDetail browser -> spring +: /clusterDetail return Cluster detail HTML return Cluster detail Page @enduml |
...
If there is no refresh token, or if the refresh token has expired, or if the OP declines to refresh the expired access token, Pulse disconnects from the JMX manager and logs the user out of the Pulse browser session.
This diagram shows only the "expired refresh token" scenario, but the flow is very similar if the refresh token is missing or the OP declines the refresh request.
| PlantUML | ||
|---|---|---|
| ||
@startuml title Pulse Disconnects from Geode JMX When the User's Refresh Token Expires participant Browser as browser participant "Pulse Page\nJavascript" as page participant "Pulse\nController" as pulse participant Repository as repository participant Spring as spring participant Cluster as cluster participant "Geode JMX" as jmx browser -> page +: /clusterDetail page -> pulse +: /<some-data-url> pulse -> repository +: getCluster() repository --> spring +: get authenticated user details return sub, accessToken, refreshToken alt if accessToken and refreshToken have both expired repository -> repository : clusterMap.get(sub) repository -> cluster +: disconnect cluster -> jmx +: disconnect return return repository -> repository : clusterMap.remove(sub) end return authentication exception return "UNAUTHORIZED" return redirect: /<logout-page> note right browser Spring: - Logs user out of browser session - Redirects to "end of session" URL end note @enduml |