Skip to content

How it Works

Authentication - General flow

The image below gives a brief overview of the flow and the components involved.

General flow sequence

A user start a login request from Lime Portal, and from there authentication is redirect to this package. Based on the request, we will determine which limetype is trying to log in(e.g. coworker), and authorize the input credentials against that object.

If a object is found in the search above, the data is returned to Lime Portal and the end user will be logged in as the object that was found.

OpenID authentication

The image below describes the flow all the way from the portal, to the OpenID provider.

OpenID flow sequence

When the user first visits the portal, they will be redirect to this package by the portal. The package, which contains the configuration for the provider will then redirect to the provider, where the user can log in.

Once logged in, the provider returns idtoken which is a base64-encoded JWT. This JWT is signed with the providers private key, so we will decode it with the public key to verify that the signature is correct. Once decoded, we can access information about the user.

We then find the limeobject we want (e.g. coworker), by some property in the user information.

The user is then redirected back to the portal, where we have access to the user information and the initial state-parameter. The state is checked against the one that was first generated in the portal and saved in the current session. If the state matches, we log the user in, and if not we show an error.

Request a password reset - General flow

Below describes the steps involved when submitting a request to reset password

Password reset sequence

Once the user submits a request to reset their password, the request will be forwarded from the Portal backend to limepkg-portal-auth. Here we will try to find the user, and if they're found we generate a token. The token is included in the link sent to the user via email, to make sure we identify the user correctly by them providing the token.

This flow is also used when a user is "activating" their account, i.e. when no password has been set at all.

Back to top