summaryrefslogtreecommitdiff
path: root/docs/oauth2/oauth2provider-server.dot
diff options
context:
space:
mode:
Diffstat (limited to 'docs/oauth2/oauth2provider-server.dot')
-rw-r--r--docs/oauth2/oauth2provider-server.dot215
1 files changed, 215 insertions, 0 deletions
diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot
new file mode 100644
index 0000000..bf7df75
--- /dev/null
+++ b/docs/oauth2/oauth2provider-server.dot
@@ -0,0 +1,215 @@
+digraph oauthlib {
+ center="1"
+ edge [ style=bold ];
+
+ /* Web Framework Entry and Exit points */
+ {
+ node [ shape=hexagon ];
+ edge [ style=normal ];
+
+ webapi_request [ label="WebFramework\nHTTP request" ];
+ webapi_request:s ->
+ endpoint_authorize:top:n,
+ endpoint_token:top:n,
+ endpoint_introspect:top:n,
+ endpoint_revoke:top:n,
+ endpoint_resource:top:n;
+ webapi_response [ label="WebFramework\nHTTP response" ];
+ }
+
+ /* OAuthlib Endpoints */
+ {
+ rank=same;
+
+ endpoint_authorize [ shape=record; label="{<top>Authorize Endpoint|{create_authorize_response|{uri|method|body|headers|credentials}}|{<token>token|<code>code}}" ];
+ endpoint_token [ shape=record; label="{<top>Token Endpoint|{create_token_response|{uri|method|body|headers|credentials}}|{<authorization_code>authorization_code|<password>password|<client_credentials>client_credentials|<refresh_token>refresh_token}}" ];
+ endpoint_revoke [ shape=record; label="{<top>Revocation Endpoint|{create_revocation_response|{uri|method|body|headers}}}" ];
+ endpoint_introspect [ shape=record; label="{<top>Introspect Endpoint|{create_introspect_response|{uri|method|body|headers}}}" ];
+ endpoint_resource [ shape=record; label="{<top>Resource Endpoint|{verify_request|{uri|method|body|headers|scopes_list}}}" ];
+ }
+
+ /* OAuthlib RequestValidator Methods */
+ {
+ node [ shape=record ];
+
+ f_client_authentication_required [ label="{{<top>client_authentication_required|request}|{<true>True|<false>False}}"; ];
+ f_authenticate_client [ label="{{<top>authenticate_client|request}|{<true>True|<false>False}}";];
+ f_authenticate_client_id [ label="{{<top>authenticate_client_id|{client_id|request}}|{<true>True|<false>False}}"; ];
+ f_validate_grant_type [ label="{{<top>validate_grant_type|{client_id|grant_type|client|request}}|{<true>True|<false>False}}"; ];
+ f_validate_code [ label="{{<top>validate_code|{client_id|code|request}}|{<true>True|<false>False}}"; ];
+ f_confirm_redirect_uri [ label="{{<top>confirm_redirect_uri|{client_id|code|redirect_uri|client|request}}|{<true>True|<false>False}}"; ];
+ f_get_default_redirect_uri [ label="{{<top>get_default_redirect_uri|{client_id|request}}|{<redirect_uri>redirect_uri|<none>None}}"; ];
+ f_invalidate_authorization_code [ label="{{<top>invalidate_authorization_code|{client_id|code|request}}|None}"; ];
+ f_validate_scopes [ label="{{<top>validate_scopes|{client_id|scopes|client|request}}|{<true>True|<false>False}}"; ];
+ f_save_bearer_token [ label="{{<top>save_bearer_token|{token|request}}|None}"; ];
+ f_revoke_token [ label="{{<top>revoke_token|{token|token_type_hint|request}}|None}"; ];
+ f_validate_client_id [ label="{{<top>validate_client_id|{client_id|request}}|{<true>True|<false>False}}"; ];
+ f_validate_redirect_uri [ label="{{<top>validate_redirect_uri|{client_id|redirect_uri|request}}|{<true>True|<false>False}}"; ];
+ f_is_pkce_required [ label="{{<top>is_pkce_required|{client_id|request}}|{<true>True|<false>False}}"; ];
+ f_validate_response_type [ label="{{<top>validate_response_type|{client_id|response_type|client|request}}|{<true>True|<false>False}}"; ];
+ f_save_authorization_code [ label="{{<top>save_authorization_code|{client_id|code|request}}|None}"; ];
+ f_validate_bearer_token [ label="{{<top>validate_bearer_token|{token|scopes|request}}|{<true>True|<false>False}}"; ];
+ f_validate_refresh_token [ label="{{<top>validate_refresh_token|{refresh_token|client|request}}|{<true>True|<false>False}}"; ];
+ f_get_default_scopes [ label="{{<top>get_default_scopes|{client_id|request}}|{<scopes>[scopes]}}"; ];
+ f_get_original_scopes [ label="{{<top>get_original_scopes|{refresh_token|request}}|{<scopes>[scopes]}}"; ];
+ f_is_within_original_scope [ label="{{<top>is_within_original_scope|{refresh_scopes|refresh_token|request}}|{<true>True|<false>False}}"; ];
+ f_validate_user [ label="{{<top>validate_user|{username|password|client|request}}|{<true>True|<false>False}}"; ];
+ f_introspect_token [ label="{{<top>introspect_token|{token|token_type_hint|request}}|{<claims>\{claims\}|<none>None}}"; ];
+ }
+
+ /* OAuthlib Conditions */
+
+ if_code_challenge [ label="if code_challenge"; ];
+ if_redirect_uri [ label="if redirect_uri"; ];
+ if_redirect_uri_present [ shape=none;label="present"; ];
+ if_redirect_uri_missing [ shape=none;label="missing"; ];
+ if_scopes [ label="if scopes"; ];
+ if_all [ label="all(request_scopes not in scopes)"; ];
+
+ /* OAuthlib errors */
+ e_normal [ shape=none,label="ERROR" ];
+
+ /* Authorization Code - Access Token Request */
+ {
+ edge [ color=green ];
+
+ endpoint_token:authorization_code:s -> f_client_authentication_required;
+ f_client_authentication_required:true:s -> f_authenticate_client;
+ f_client_authentication_required:false -> f_authenticate_client_id;
+ f_authenticate_client:true:s -> f_validate_grant_type;
+ f_authenticate_client_id:true:s -> f_validate_grant_type;
+ f_validate_grant_type:true:s -> f_validate_code;
+
+ f_validate_code:true:s -> if_redirect_uri;
+ if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
+ if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
+ if_redirect_uri_present -> f_confirm_redirect_uri;
+ if_redirect_uri_missing -> f_get_default_redirect_uri;
+
+ f_confirm_redirect_uri:true:s -> f_save_bearer_token;
+ f_get_default_redirect_uri -> f_save_bearer_token;
+
+ f_save_bearer_token -> f_invalidate_authorization_code;
+ f_invalidate_authorization_code -> webapi_response;
+ }
+ /* Authorization Code - Authorization Request */
+ {
+ edge [ color=darkgreen ];
+
+ endpoint_authorize:code:s -> f_validate_client_id;
+ f_validate_client_id:true:s -> if_redirect_uri;
+ if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
+ if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
+ if_redirect_uri_present -> f_validate_redirect_uri;
+ if_redirect_uri_missing -> f_get_default_redirect_uri;
+
+ f_validate_redirect_uri:true:s -> f_validate_response_type;
+ f_get_default_redirect_uri -> f_validate_response_type;
+ f_validate_response_type:true:s -> f_is_pkce_required;
+ f_is_pkce_required:true:s -> if_code_challenge;
+ f_is_pkce_required:false -> f_validate_scopes;
+
+ if_code_challenge -> f_validate_scopes [ label="present" ];
+ if_code_challenge -> e_normal [ label="missing" ];
+
+ f_validate_scopes:true:s -> f_save_authorization_code;
+ }
+
+ /* Implicit */
+ {
+ edge [ color=orange ];
+
+ endpoint_authorize:token:s -> f_validate_client_id;
+ f_validate_client_id:true:s -> if_redirect_uri;
+ if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
+ if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
+ if_redirect_uri_present -> f_validate_redirect_uri;
+ if_redirect_uri_missing -> f_get_default_redirect_uri;
+
+ f_validate_redirect_uri:true:s -> f_validate_response_type;
+ f_get_default_redirect_uri -> f_validate_response_type;
+ f_validate_response_type:true:s -> f_validate_scopes;
+ f_validate_scopes:true:s -> f_save_bearer_token;
+ }
+
+ /* Resource Owner Password Grant */
+ {
+ edge [ color=red ];
+
+ endpoint_token:password:s -> f_client_authentication_required;
+ f_client_authentication_required:true:s -> f_authenticate_client;
+ f_client_authentication_required:false -> f_authenticate_client_id;
+ f_authenticate_client:true:s -> f_validate_user;
+ f_authenticate_client_id:true:s -> f_validate_user;
+ f_validate_user:true:s -> f_validate_grant_type;
+
+ f_validate_grant_type:true:s -> if_scopes;
+ if_scopes -> f_validate_scopes [ label="present" ];
+ if_scopes -> f_get_default_scopes [ label="missing" ];
+
+ f_validate_scopes:true:s -> f_save_bearer_token;
+ f_get_default_scopes -> f_save_bearer_token;
+ f_save_bearer_token -> webapi_response;
+ }
+
+ /* Client Credentials Grant */
+ {
+ edge [ color=blue ];
+
+ endpoint_token:client_credentials:s -> f_authenticate_client;
+ f_authenticate_client -> f_validate_grant_type;
+ f_validate_grant_type:true:s -> f_validate_scopes;
+ f_validate_scopes:true:s -> f_save_bearer_token;
+ f_save_bearer_token -> webapi_response;
+ }
+
+ /* Refresh Grant */
+ {
+ edge [ color=brown ];
+
+ endpoint_token:refresh_token:s -> f_client_authentication_required;
+ f_client_authentication_required:true:s -> f_authenticate_client;
+ f_client_authentication_required:false -> f_authenticate_client_id;
+ f_authenticate_client:true:s -> f_validate_grant_type;
+ f_authenticate_client_id:true:s -> f_validate_grant_type;
+ f_validate_grant_type:true:s -> f_validate_refresh_token;
+ f_validate_refresh_token:true:s -> f_get_original_scopes;
+ f_get_original_scopes -> if_all;
+ if_all -> f_is_within_original_scope [ label="True" ];
+ if_all -> f_save_bearer_token [ label="False" ];
+ f_is_within_original_scope:true:s -> f_save_bearer_token;
+ f_save_bearer_token -> webapi_response;
+ }
+
+ /* Introspect Endpoint */
+ {
+ edge [ color=yellow ];
+
+ endpoint_introspect:s -> f_client_authentication_required [ label="" ];
+ f_client_authentication_required:true:s -> f_authenticate_client;
+ f_client_authentication_required:false -> f_authenticate_client_id;
+ f_authenticate_client:true:s -> f_introspect_token;
+ f_authenticate_client_id:true:s -> f_introspect_token;
+ f_introspect_token:claims -> webapi_response;
+ }
+
+ /* Revocation Endpoint */
+ {
+ edge [ color=purple ];
+
+ endpoint_revoke:s -> f_client_authentication_required;
+ f_client_authentication_required:true:s -> f_authenticate_client;
+ f_client_authentication_required:false -> f_authenticate_client_id;
+ f_authenticate_client:true:s -> f_revoke_token;
+ f_authenticate_client_id:true:s -> f_revoke_token;
+ f_revoke_token:s -> webapi_response;
+ }
+
+ /* Resource Access - Verify Request */
+ {
+ edge [ color=pink ];
+
+ endpoint_resource:s -> f_validate_bearer_token;
+ f_validate_bearer_token:true -> webapi_response;
+ }
+}