Request Flow Request Flow The following sequence diagram describes the general request flow. It shows where account provisioning and token minting are happening: revaoc10corporate LDAP serverocis-accountsIdPocis-proxyClientUserrevaoc10corporate LDAP serverocis-accountsIdPocis-proxyClientUserWhat is in a bearer token? The spec recommends opaque tokens. Treat it as random byte noise.the proxy MUST authenticate users using ocis-accounts because it needs to decide where to send the requestContent-Type: application/json{"sub": "248289761001","name": "Jane Doe","given_name": "Jane","family_name": "Doe","preferred_username": "j.doe","email": "janedoe@example.com","picture": "http://example.com/janedoe/me.jpg"}WWW-Authenticate: error="invalid_token",error_description="The Access Token expired"start at login flow or refresh the tokenalt[userinfo succeeds][userinfo fails]does not autoprovision users. They are explicitly provisioned later.Check if user exists in oc10forward existing bearer authopt[user exists in oc10]opt[oc10 endpoint is configured]provision a new account including displayname, email and sub@iss TODO only if the user is allowed to login, based on group membership in the ldap serverstart at login flow or refresh the tokenalt[account exists or has been migrated][account does not exist][account has been disabled]What is the content of my home?PROPFIND Bearer auth using oidc auth tokenGET /userinfo200 OK401 Unauthorized401 Unauthorized or 302 Found with redirect to idpTODO API call to exchange sub@iss with account UUIDexisting account UUIDGET /apps/graphapi/v1.0/users/<uuid>200PROPFINDMultistatus responseMultistatus responseList of Files X, Y, Z ...generate new uuidTODO create account with new generated uuidOK / erroraccount is disabled401 Unauthorized or 302 Found with redirect to idpstore uuid in contextmint an internal jwt that includes the UUID and username using revas `x-access-token` headerPROPFIND Token auth using internal JWTMultistatus responseMultistatus responseList of Files X, Y, Z ...
