Web Application — Standard Flow

Flow

Explanations

1. The User requests a protected page from the Web Application.
2. The Web Application detects that the User is not authenticated and responds with HTTP 302.
3. The browser is redirected to the Authorization Endpoint in Mekarge A3.
4. Mekarge A3 returns an authentication page containing a login form.
5. The browser submits the authentication form to Mekarge A3.
6. Mekarge A3 validates the User credentials and responds with HTTP 302.
7. The browser is redirected to the Redirect URI in Web Application with the Authorization Code.
8. The Web Application calls Token Endpoint in Mekarge A3 with the Authorization Code.
9. Mekarge A3 validates the Authorization Code and returns an Access Token.
10. The Web Application calls the API Resource using the Access Token.
11. The Resource Server validates the Access Token and returns the API response.
12. The Web Application returns the requested page.

Notes

Security

• Mekarge A3 allows only HTTPS for Redirect URIs.
• Use HTTPS for all API endpoints.
• Store Access Tokens and Refresh Tokens securely on the server side.
• Enable PKCE to follow OAuth 2.1 security best practices. (See OAuth 2.1 §7.8).
• Configure short-lived Access Tokens.

Token Usage

• The Access Token is used by the Web Application when calling APIs.
• Refresh Tokens can be used to obtain new Access Tokens without requiring the user to log in again.
• ID Tokens may contain identity information about the authenticated user.