Skip to content

OAuth Flow

Overview

The Oauth Flow to register within one or more providers provided identity service (Google, GitHub, ...).

Note: The part below is fully copy-paste from the NextAuth.

Flow

Without going into too much detail, the OAuth flow generally has 6 parts:

  1. The application requests authorization to access service resources from the user
  2. If the user authorized the request, the application receives an authorization grant
  3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
  4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
  5. The application requests the resource from the resource server (API) and presents the access token for authentication
  6. If the access token is valid, the resource server (API) serves the resource to the application
sequenceDiagram
  participant Browser
  participant App Server
  participant Auth Server (Github)
  Note left of Browser: User clicks on "Sign in"
  Browser->>App Server: GET<br/>"api/auth/signin"
  App Server->>App Server: Computes the available<br/>sign in providers<br/>from the "providers" option
  App Server->>Browser: Redirects to Sign in page
  Note left of Browser: Sign in options<br/>are shown the user<br/>(Github, Twitter, etc...)
  Note left of Browser: User clicks on<br/>"Sign in with Github"
  Browser->>App Server: POST<br/>"api/auth/signin/github"
  App Server->>App Server: Computes sign in<br/>options for Github<br/>(scopes, callback URL, etc...)
  App Server->>Auth Server (Github): GET<br/>"github.com/login/oauth/authorize"
  Note left of Auth Server (Github): Sign in options<br> are supplied as<br/>query params<br/>(clientId, <br/>scope, etc...)
  Auth Server (Github)->>Browser: Shows sign in page<br/>in Github.com<br/>to the user
  Note left of Browser: User inserts their<br/>credentials in Github
  Browser->>Auth Server (Github): Github validates the inserted credentials
  Auth Server (Github)->>Auth Server (Github): Generates one time access code<br/>and calls callback<br>URL defined in<br/>App settings
  Auth Server (Github)->>App Server: GET<br/>"api/auth/callback/github?code=123"
  App Server->>App Server: Grabs code<br/>to exchange it for<br/>access token
  App Server->>Auth Server (Github): POST<br/>"github.com/login/oauth/access_token"<br/>{code: 123}
  Auth Server (Github)->>Auth Server (Github): Verifies code is<br/>valid and generates<br/>access token
  Auth Server (Github)->>App Server: { access_token: 16C7x... }
  App Server->>App Server: Generates session token<br/>and stores session
  App Server->>Browser: You're now logged in!

Source Reference