Perses has various authentication flows configurable. You can choose to authenticate from a native provider that will allow you to create some users, or else rely on an external identity provider.
In both cases
each new user will be saved in the Perses database.
at login time, a Perses session (access_token/refresh_token) will be created
Please note that the number of identity providers is not limited.
It is possible to configure Perses to sign in user with an external identity provider supporting OIDC/Oauth. For both of these provider’s types, the flow is quite similar:
When a user sign in with an external provider (e.g. Github) the Perses backend will then use the information collected (email, firstname, lastname, picture) to sync the user in database. Then the backend takes in charge the creation of the access_token/refresh_token that will be used to authenticate this user in the subsequent requests.
The user synchronization can possibly be used to update also its permissions, based on some roles/groups present in the external idp’s token.
At the time we write this documentation, there is nothing implemented yet. User have to login first and ask specific permissions to an admin.
sequenceDiagram
actor hu as John
#actor ro as Robot
participant br as Perses Frontend
participant rp as Perses Backend (RP)
participant op as OIDC Provider (OP)
hu->>br: Login with OIDC provider (e.g Azure AD)
activate br
br->>rp: /api/auth/providers/oidc-{slug_id}/login
deactivate br
activate rp
rp->>br: 302: redirect to OP
activate br
deactivate rp
br->>op: {issuer}/authorize
deactivate br
activate op
op->>br: 302: redirect to RP
activate br
deactivate op
br->>rp: GET /api/auth/providers/oidc-{slug_id}/callback?code=...
deactivate br
activate rp
rp->>op: {issuer}/token
activate op
op->>rp: id_token & access_token
deactivate op
rp->>op: GET /userinfos
activate op
op->>rp: some additional user info
deactivate op
Note right of rp: user info + id token are used to sync user in database
rp->>rp:
Note right of rp: A new session is created with a new signed acces_token+refresh_token
rp->>rp:
rp->>br: 200 + save session
deactivate rp
activate br
br->>hu: Home Page
deactivate br
hu->>br: Click on Projects
activate br
br->>rp: /api/v1/projects
activate rp
deactivate br
rp->>rp: Verify token and permissions
rp->>br: projects
deactivate rp
activate br
br->>hu: Projects Page
deactivate br
sequenceDiagram
actor hu as John
#actor ro as Robot
participant br as Perses Frontend
participant rp as Perses Backend
participant op as OAuth 2.0 Provider
hu->>br: Login with OIDC provider (e.g Github)
activate br
br->>rp: /api/auth/providers/oauth-{slug_id}/login
deactivate br
activate rp
rp->>br: 302: redirect to OAuth 2.0 provider
activate br
deactivate rp
br->>op: {auth_url}
deactivate br
activate op
op->>br: 302: redirect to Perses
activate br
deactivate op
br->>rp: GET /api/auth/providers/oauth-{slug_id}/callback?code=...
deactivate br
activate rp
rp->>op: {token_url}
activate op
op->>rp: access_token
deactivate op
rp->>op: GET {user_infos_url}
activate op
op->>rp: some additional user info
deactivate op
Note right of rp: user info is used to sync user in database
rp->>rp:
Note right of rp: A new session is created with a new signed acces_token+refresh_token
rp->>rp:
rp->>br: 200 + save session
deactivate rp
activate br
br->>hu: Home Page
deactivate br
hu->>br: Click on Projects
activate br
br->>rp: /api/v1/projects
activate rp
deactivate br
rp->>rp: Verify token and permissions
rp->>br: projects
deactivate rp
activate br
br->>hu: Projects Page
deactivate br