Skip to main content

Authentication flow

OpenID Connect (OIDC) is a protocol that allow applications (also called relying parties, or RP) to authenticate users with an external server called the OpenID Connect Provider (OP). OIDC is based on OAuth2 and thus also provides full OAuth2 support. General authentization flow OAuth2/OIDC is depicted on the picture bellow.

This image/text is adapted from Mozilla's infosec.mozilla.org, licensed under the Mozilla Public License 2.0

In SAMO, the authentization flow includes these major step:

  • Incoming request to /auth/login.
  • Redirected to provider entry point /auth/oidc/authorize-client/{id}.
  • Redirected to provider.
  • After authentication on provider side, redirected to /auth/oidc/login/code.
  • After succesfull authentication, redirected to /auth/oidc/loginSuccess.
  • If synchronization enabled, user is synchronized via userNameAttribute = externalId. If there is no match, new user is created.

Complete flow of the requests among SAMO modules is shown in this sequence diagram: