-
Notifications
You must be signed in to change notification settings - Fork 13
Authentication flow
Kelvin Chappell edited this page Nov 30, 2023
·
1 revision
sequenceDiagram
autonumber
Participant B as Browser
Participant A as Maybe authenticated action
Participant O as Auth server
Participant API
B->>A: Request
alt Signed-out cookie, GU_SO, present
A->>B: Without ID
else
alt Token cookies present
A->>A: Find auth tokens
A->>API: Use access token
A->>B: Use ID token
else
A->>O: Silent authentication
alt User signed in
A->>API: Use access token
A->>B: Use ID token
else
A->>B: Without ID
end
end
end
- Browser makes a request to a support-frontend endpoint that is wrapped in a MaybeAuthenticatedAction.
- As the user has recently signed out, the response is returned with any token cookies included in the request deleted. No calls to APIs will be possible and the response to the request will have no access to ID claims. Nevertheless, the response will still succeed.
See https://github.com/guardian/support-frontend/blob/main/support-frontend/app/actions/UserFromAuthCookiesActionBuilder.scala#L86 - The request includes a
GU_ID_TOKENcookie and aGU_ACCESS_TOKENcookie containing an ID and an access token respectively. These are verified and used to create aUserinstance, which is available for subsequent processing in the requested action.
See https://github.com/guardian/support-frontend/blob/main/support-frontend/app/actions/UserFromAuthCookiesActionBuilder.scala#L111 - The action makes calls out to APIs using the access token provided in the cookie.
- The response to the request uses the claims in the ID token to populate user-specific fields.
- The request is redirected through a silent auth code with PKCE flow. This responds with ID and access tokens if the user is signed in to the auth server.
See https://github.com/guardian/support-frontend/blob/main/support-frontend/app/controllers/AuthCodeFlowController.scala#L44-L68 - The action makes calls out to APIs using the access token provided by the auth flow.
- The response to the request includes new
GU_ID_TOKENandGU_ACCESS_TOKENcookies. The claims in the ID token are used to populate user-specific fields in the response. - As the user isn't signed in, no calls to APIs will be possible and the response to the request will have no access to ID claims. Nevertheless, the response will still succeed.
- Redux Glossary
- Why Redux Toolkit?
- Writing state slices with Redux Toolkit
- Handling action side effects in Redux
- Presentational and Container Components
- Scoped actions and reducers
- Server Side Rendering
- Form validation
- CI build process
- Post deployment testing
- Post deployment test runbook
- TIP Real User Testing
- Code testing and validation
- Visual testing
- Testing Apple Pay locally
- Test Users
- Deploying to CODE
- Automated IT tests
- Deploying Fastly VCL Snippets
- Authentication
- Switchboard
- How to make a fake contribution
- The epic and banner
- Environments
- Tech stack
- Supported browsers
- Contributions Internationalisation
- Payment method internationalisation in Guardian Weekly
- Print fulfilment/delivery
- Updating the acquisitions model
- Runscope testing
- Scala Steward for dependency management
- Alarm Investigations
- Ticker data
- Ophan
- Quantum Metric
- [Google Tag Manager] (https://github.com/guardian/support-frontend/wiki/Google-Tag-Manager)