-
Notifications
You must be signed in to change notification settings - Fork 1
Guide
To use the Infoteam IdP, all services need to register themselves as a client of Infoteam IdP.
The developers of the services can register their service in the client page of Infoteam IdP link.

After client registration, the developers can access the page above.
The developer can obtain the service ID and secret on this page and configure the redirect URI, the ID token, and the scope, which is the information that the service will receive from the OAuth part.
To obtain the user's information through the Infoteam IdP, all services have to use the OAuth part of the IdP.
- Authorization Code Flow The developer of the services needs to implement three processes.
- redirect to https://idp.gistory.me/authorize with param: client_id, code_challenge, code_challenge_method, state, redirect_uri, scope
The frontend of the service needs to implement a redirection process to redirect to the URL above with the parameter.
In this process, the redirect_uri in the parameter must be registered in the client registration step. - Handling redirection with code and getting a token using code.
After the first process, Infoteam IdP will redirect to the redirect_uri with the code parameter.
The redirect_uri can be backend or frontend. However, it must have the code_challenge information.
Therefore, we recommend the frontend handle this process.
Then, get the token in/oauth/tokenwith the code parameter. - Getting a userinfo using ID token or
/oauth/userinfo.
If the service enabled the ID token in the client registration step, the ID token will be returned in the/oauth/tokenendpoint. The service can validate the ID token using the public key provided by Infoteam IdP and use the user's information.
Or, using the/oauth/userinfoendpoint, the service can receive the user's information configured in the client registration process.
sequenceDiagram
participant IdPFe as IdP FrontEnd
participant ClientFe as Client Frontend
participant Client
participant IdP
critical Requesting Login
ClientFe ->> Client: Request IdP Login
Client ->> ClientFe: REDIRECT idp.gistory.me/authorize
ClientFe ->> IdPFe:
end
IdPFe ->> IdPFe: login or sign up
IdPFe ->>+ IdP: client_id, code_challenge, code_challenge_method, redirect_uri, scope, "IdP jwt user token"
note right of IdP: GET /oauth/authorize
IdP ->>- ClientFe: REDIRECT <client url>?code=code
ClientFe ->> IdP: client_id, code, code_verifier
note right of IdP: POST /oauth/token
alt client doesn't use id token
IdP ->> ClientFe: access token, refresh token, id token
ClientFe ->>+ Client: access token, refresh token, id token
Client ->> Client: service logic with id token
Client ->>- ClientFe:
else
IdP ->> ClientFe: access token, refresh token
ClientFe ->>+ Client: access token, refresh token
Client ->>+ IdP: access token
note right of IdP: POST /oauth/userinfo
IdP ->>- Client: user's information
Client ->> ClientFe:
end
- Refresh Token Grant
sequenceDiagram
participant ClientFe as Client Frontend
participant IdP
ClientFe ->>+ IdP: client_id, refresh_token
note right of IdP: POST /oauth/token
IdP ->>- ClientFe: access token, refresh token, (id token)
- Client Credential flow
Client를 만들면, 같이 나오는 client의 id와 secret을 이용해서, client가 user의 정보를 가져올 수 있도록 합니다.
sequenceDiagram
participant Client
participant IdP
Client ->>+ IdP: client_id, client_secret, scope
note right of IdP: POST /oauth/token
IdP ->>- Client: access token, refresh token
opt if client want to get userinfo
Client ->>+ IdP: access token, user id
note right of IdP: POST /oauth/userinfo
IdP ->>- Client: userinfo
end
To the convenience of client service and reduce the /userinfo api call, Infoteam IdP provides the OpenID service.
