Authentication and authorization are managed in common through most France-IOI applications, using the OAuth2 protocol. The authorization is centrally managed in the Login Module . The PHP clients share a lib which implement the OAuth2 client to Login Module : login-module-client .
The previous AlgoreaPlaform workflow and the different options are described in the working docs .
The following workflow uses OAuth2 “authorization code” workflow which is the only one which now recommended for SPAs.
click "login" Algorea Fron... Algorea Back... Login Module GET /oauth/authorize?scope=account&state=<state>&response_type=code
&code_challenge=<code_challenge>&code_challenge_method=S256
&client_id=17&locale=fr&redirect_uri=urlencoded_SPA_return_url
GET /oauth/authorize?scope=account&state=<state>&response_type=code... redirect to login prompt
enter credentials, consent, ...
enter credentials, consent, ...
302 redirect to https ://spa_url?code=...&state=... + set session cookie
302 redirect to https://spa_url?code=...&state=... + set session cookie POST https ://backend/auth/token
with code, code_verifier
POST https://backend/auth/token... access_token, expire_in
POST https://login-module/oauth/token
POST https://login-module/oauth/token... {access token:..., refresh_token:..., expires_in: 3600, type: bearer, scope: null }
{access token:..., refresh_token:...,... check credentials,
store consent
generate authorization code
check credentials,... update (or create) user
store access_token & refresh_token
update (or create) user... store access_token user info
GET /user_api/account user info
GET /current-user/ Generate:
- state: a random 32-byte string (->store it)
- code_verifier**: a random 32-byte string (->store it)
- code_challenge**: sha256(code_verifier)
(all base-64 encoded with +,/,= replaced)
(** requires login-module to support PKCE)
Generate:... update user info i... Extract code & state
Verify state
Extract code & state... redirect User Agent
Viewer does not support full SVG 1.1 click "logout" Algorea Fron... Algorea Back... Login Module logout request
logout request... ok + clear session cookie
ok + clear session cookie
clear all tokens
clear all tokens... auth popup POST /auth/logout
POST /auth/logout... access_token, expiry_in
store access_token
POST /auth/temp_user
clear all access_token & refresh_token for the user
clear all access_token & refresh_to... clear access_token
clear access_token... (may contact all servers to
(may contac... Viewer does not support full SVG 1.1 Algorea Fron... Algorea Back... Login Module POST /oauth/token
POST /oauth/token... new_access_token
gen new access_token
POST /auth/token
POST /auth/token... access_token, expiry_in
validate the token, fetch the refresh token
validate the token, fetch the refre... update access_token
only keep existing_access_token and new_access_token as access token for this user
only keep existing_access_token and... existing_access_token expires in less than 5min!
existing_access_token expires in less than... Viewer does not support full SVG 1.1 Table of contents