Skip to main content

Authentication Flows

There are two main flows that Keysmith 2 will support for Phase 1:

  1. Provision of a complete Google SSO flow.
  2. Option for partners to "bring your own Google token" (BYOGT).

In addition, the design of the authentication flow must be able to accommodate other authentication strategies that may be added in the future.

Provision of a complete Google SSO flow

The sequence diagram below shows a typical SSO flow a 1st party application has with Google.

(Not referring to Keysmith - any Web app performing SSO with Google directly.)

(Referenced from https://developers.google.com/identity/protocols/oauth2#webserver)

New User

This section describes the flow for a new user created in Keysmith.

Internal Google SSO with Keysmith

This diagram shows a typical SSO flow with Google and the current version of Keysmith. Of note are the sections labelled "Keysmith-specific". In this flow, Keysmith provides the SSO URL for the user to access to initiate the SSO process. The redirection from Google goes to the Keysmith which creates a secret keyfile that is stored in the user's Google Drive.

External Google SSO with Keysmith

In this scenario, the 3rd-party application already has an existing Google SSO authentication mechanism. In this case, the 3rd application would want to present the access token that it has already obtained for the user. This is so that the user need not go through another SSO process.

In step 7, the 3rd party application calls a Keysmith function, passing in the JWT and Google access token. This function requests for credentials from the server (step 8) to generate the secret keyfile. It does so by passing the JWT as a Bearer token to the server.

After the secret keyfile is created, the same function saves the keyfile in Google Drive (step 10) using the access token passed in.

When both actions are completed, the function returns (step 11) and the application can treat the entire sign-up process as complete.

Existing User

This section describes the flow for an existing user signing back to Keysmith.

TBC