Page History

@startuml

title Pulse Authenticates with OpenID Connect Provider (OP)

participant User as user
participant Browser as browser
participant "Pulse (Spring)" as spring
participant OP as op

user -> browser +: /<protected-uri>
browser -> spring +: /<protected-uri>
return redirect: /login

browser -> spring +: /login
note right spring
  Spring generates this /login
  page to handle all interaction
  with the configured OP
end note
return Button: "Log in with OP"
return Button: "Log in with OP"

user -> browser +: click OP button
browser -> op +: /authorize
note right
  Request includes:
  - client id
  - list of requested scopes
  - redirect-uri
  - Spring session identifier
  - other details
end note
return OP login form
return OP login form

user -> browser +: Credentials
browser -> op +: POST Credentials
return Authorization form for Pulse
note right
  Authorization form includes
  checkboxes for the scopes
  defined in the OP's Pulse client
end note
return Checkboxes

user -> browser +: Select scopes
browser -> op +: POST Scope selection
return redirect: /<redirect-uri>
note right
  Redirect URI includes:
  - grant code
  - Spring session identifier
  - other details
end note
browser -> spring +: /<redirect-uri>
spring -> op +: POST /token
note right
  Backchannel request
  (NOT via browser):
  - client id
  - client secret
  - grant code
  - other details
end note

return idToken,\naccessToken,\nrefreshToken

note right spring
  Spring saves the tokens
  in the current session
end note

return redirect: /clusterDetail
browser -> spring +: /clusterDetail
return Cluster detail HTML
return Cluster detail Page

@enduml