-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor Auth Flow #58
Comments
We will need to replace the auth flow diagrams in the readme as well. An enhanced version of the above diagram should be created for use in the actual readme. It will contain clear descriptions of each step. It may be useful to include multiple, similar auth flows for different types of deployments (Separate frontend/backend, server side rendered applications, frontend only applications). |
New auth flow diagrams bumped to #61 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have decided on a more secure and standard auth flow that will allow us to use AbandonAuth as it was intended (serving as an identity and OAuth provider for many different applications).
The flow is as follows:
![auth_flow](https://private-user-images.githubusercontent.com/39353605/278431191-0e2003be-c3c5-4b6c-b31b-564bb36a027f.svg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE5NjUzNjEsIm5iZiI6MTcyMTk2NTA2MSwicGF0aCI6Ii8zOTM1MzYwNS8yNzg0MzExOTEtMGUyMDAzYmUtYzNjNS00YjZjLWIzMWItNTY0YmIzNmEwMjdmLnN2Zz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI2VDAzMzc0MVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWZiMjAxODE4OThkYWY3MjM4ZThlYjFiMzhmMTg1MTEzODczMGIwMjAzNDFmM2NhMWEyNThjZGVhZjZmMDFkZmMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.aNdLy8tcAJY_dolL_QileUWtZjmSF8Txun1xg0FKjFw)
aud
of the application ID (redundant, but maybe more secure)aud
claim matches the authenticated developer application that sent the requestThis solution was originally identified in #29 to solve known security issues.
The text was updated successfully, but these errors were encountered: