Skip to content

OAuth 2.0 / OIDC / SSO — Detailed#

flowchart TB
  subgraph User
    BR([Browser])
    NATIVE[Native app]
  end

  subgraph Client[Client App / Relying Party]
    APP[App backend]
    SDK([SDK])
  end

  subgraph IdP[Identity Provider]
    AUTHN[AuthN: pwd, MFA, passkeys, biometrics]
    CONS[Consent screen]
    SES[Session / SSO cookie]
    AUTHZ[AuthZ / claims]
    JWKS[JWKS public keys]
    ROTATE[Key rotation]
    LOGOUT[SLO single logout]
  end

  subgraph Flow
    AC[Authorization Code]
    PKCE[PKCE for native / SPA]
    CC([Client credentials])
    DEV([Device code])
    REFRESH[Refresh tokens]
    REVOKE[Revocation endpoint]
  end

  subgraph Tokens
    AT[Access token JWT]
    IDT[ID token OIDC]
    RT[Refresh token]
    TI[Token introspection RFC 7662]
  end

  subgraph SAML
    SP[SP-initiated SAML SSO]
    META[SAML metadata]
  end

  subgraph Provisioning
    SCIM([SCIM user provision])
    JIT[Just-in-time provisioning]
  end

  User --> Client --> Flow --> IdP
  IdP --> Tokens --> Client
  Provisioning --- IdP
  SAML --- IdP

    classDef client fill:#dbeafe,stroke:#1e40af,stroke-width:1px,color:#0f172a;
    classDef edge fill:#cffafe,stroke:#0e7490,stroke-width:1px,color:#0f172a;
    classDef service fill:#fef3c7,stroke:#92400e,stroke-width:1px,color:#0f172a;
    classDef datastore fill:#fee2e2,stroke:#991b1b,stroke-width:1px,color:#0f172a;
    classDef cache fill:#fed7aa,stroke:#9a3412,stroke-width:1px,color:#0f172a;
    classDef queue fill:#ede9fe,stroke:#5b21b6,stroke-width:1px,color:#0f172a;
    classDef compute fill:#d1fae5,stroke:#065f46,stroke-width:1px,color:#0f172a;
    classDef storage fill:#e5e7eb,stroke:#374151,stroke-width:1px,color:#0f172a;
    classDef external fill:#fce7f3,stroke:#9d174d,stroke-width:1px,color:#0f172a;
    classDef obs fill:#f3e8ff,stroke:#6b21a8,stroke-width:1px,color:#0f172a;
    class BR,SDK,CC,DEV,SCIM client;
    class NATIVE,APP,CONS,SES,AUTHZ,JWKS,ROTATE,AC,PKCE,REFRESH,REVOKE,AT,IDT,RT,TI,SP,META,JIT service;
    class AUTHN,LOGOUT obs;
  • Web app: Authorization Code + PKCE (RFC 7636).
  • Native: same, system browser.
  • M2M: Client credentials.
  • Device with no browser: Device authorization grant.

Tokens#

  • Access tokens: short-lived (5-60 min), JWT or opaque.
  • Refresh tokens: longer-lived, sender-constrained (DPoP/mTLS) ideal.
  • ID tokens (OIDC): identity assertions for the client.

SSO#

  • One IdP session → multiple apps sign in.
  • Logout (SLO) is hard; bypass via short-lived ATs + revocation.

Glossary & fundamentals#

Concepts referenced in this design. Each row links to its canonical page; the tag column shows whether it is a high-level (HLD) or low-level (LLD) concept.

Tag Concept What it is Page
HLD Observability metrics, logs, traces, SLOs observability
HLD Service mesh sidecar mesh, mTLS, traffic policy service-mesh