← Voltar aos diagramas

OAuth 2.0 + OIDC

Fluxo completo de autenticação e autorização: Authorization Code, JWT, PKCE e OpenID Connect

OAuth 2.0 RolesResource OwnerUserClientAppAuth ServerIdPResource ServerAPIAuthorization Code Flow👤UserClicks Login🔐Auth ServerLogin + Consent1. redirect /authorizeScopes (Consent)openid → ID tokenprofile → nome, fotoemail → email verificado🖥️Client BackendReceives Code2. redirect ?code=xyz~10 MIN TTL🔑Token EndpointPOST /token3. code + client_secret🎫Tokensaccess + refresh4. tokens📡API RequestAuthorization: Bearer5. use tokenPKCE (Public Clients)1. Gera code_verifier (random 43-128 chars)2. code_challenge = SHA256(verifier)3. Envia challenge no /authorize4. Envia verifier no /token5. Server valida: SHA256(verifier)==challengeSPA + MOBILEJWT StructureHeader: {"alg":"RS256","typ":"JWT"}Payload: {"sub":"123","exp":...}Signature: RSASHA256(header.payload, key)BASE64URLJWT Standard Claimsiss: emissor | sub: subject (userId)aud: audience | exp: expiraçãoiat: issued at | nbf: not beforejti: unique ID | + custom claimsRefresh Token RotationAccess Token: ~15 min (curto, JWT)Refresh Token: ~7 dias (longo, opaque)Rotation: cada uso gera novo refreshReuse detection → revoga família inteiraROTATIONOpenID Connect (OIDC) — Identity Layer🪪ID TokenJWT com userinfo👤UserInfo EndpointGET /userinfo🔍Discovery/.well-known/openid🔑JWKSPublic Keys

4 roles do OAuth 2.0: Resource Owner, Client, Authorization Server, Resource Server

0/9