53 lines
1.8 KiB
Plaintext
53 lines
1.8 KiB
Plaintext
|
@startuml Login
|
||
|
|
||
|
actor User
|
||
|
|
||
|
box "Workstation"
|
||
|
participant Browser
|
||
|
participant Kubectl
|
||
|
participant "Pinniped CLI"
|
||
|
end box
|
||
|
|
||
|
box "Supervisor Cluster"
|
||
|
participant Pinniped as sp
|
||
|
end box
|
||
|
|
||
|
box "Concierge Cluster"
|
||
|
participant Pinniped as wp
|
||
|
end box
|
||
|
|
||
|
box "Corporate Network"
|
||
|
participant "OIDC IDP" as IDP
|
||
|
end box
|
||
|
|
||
|
User -> Kubectl: kubectl get pods
|
||
|
Kubectl -> "Pinniped CLI" : get credential for cluster authentication
|
||
|
"Pinniped CLI" -> "Pinniped CLI": starts localhost listener
|
||
|
"Pinniped CLI" -> User: open browser to URL X
|
||
|
User -> Browser: clicks link
|
||
|
Browser -> sp : ""GET https://supervisor.com/oauth2/authorize""
|
||
|
sp -> Browser: 302 to IDP ""/authorize?redirect_uri=https://supervisor.com/callback""
|
||
|
Browser -> IDP: ""GET /authorize?redirect_uri=https://supervisor.com/callback""
|
||
|
IDP -> IDP: IDP authenticates user
|
||
|
IDP -> Browser: 302 to ""https://supervisor.com/callback""
|
||
|
Browser -> sp: ""GET https://supervisor.com/callback""
|
||
|
sp -> IDP: ""POST /token""
|
||
|
IDP -> sp: access token, ID token, refresh token
|
||
|
sp -> Browser: 302 to ""http://localhost:1234/callback""
|
||
|
Browser -> "Pinniped CLI": ""GET http://localhost:1234/callback""
|
||
|
"Pinniped CLI" -> sp: ""POST https://supervisor.com/oauth2/token""
|
||
|
sp -> sp: lookup auth code
|
||
|
sp -> sp: issue refresh token
|
||
|
sp -> sp: issue ID+access tokens
|
||
|
sp -> "Pinniped CLI": refresh+access+ID tokens
|
||
|
"Pinniped CLI" -> sp: ""POST /oauth2/token"" (w/ access token per RFC8693)
|
||
|
sp -> "Pinniped CLI": cluster-specific ID token
|
||
|
"Pinniped CLI" -> wp: create TokenCredentialRequest (w/ cluster-specific ID token)
|
||
|
wp -> "Pinniped CLI": cluster-specific certificate and key
|
||
|
"Pinniped CLI" -> Kubectl: cluster-specific certificate and key
|
||
|
Kubectl -> wp : ""GET /api/v1/pods""
|
||
|
wp -> wp : Glean user and group information from\ncluster-specific credential
|
||
|
wp -> Kubectl : ""200 OK"" with pods
|
||
|
|
||
|
@enduml
|