Server side Web App

The application code is executed on Backend and the Web browser agent displays the HTML pages which are rendered on server side. The application backend is responsible for an user session authentication with the IAM Authorization Server and it uses the confidential client to access the IAM Authorization Server. The Access Token is not required as complete business logic is executed on application server (monolithic architecture).

1. The User click Sign in/Log in button on Web application HTML page served from Backend server
2. The Backend initializes the Authentication flow by calling the IAM Server standard Oauth2 Authorization endpoint (/auth).
3. The IAM Server redirects User to Login page provided by the IAM Server. An User provides his/her credentials in order to Authenticate.
4. Upon successful authentication the IAM Server returns Authorization code via browser agent to Client API Backend.
5. The Backend calls he IAM Server standard Oauth2 Token endpoint (/token) to exchange Authorization Code for Tokens (ID Token, Access Token and Refresh Token).
6. The IAM Server returns Tokens to the Backend. If the Backend server hosts monolithic application and ID Token contains required user's claims (as ROLES), there is no need for an Access Token.
7. The Backend creates authenticated session with associated token(s) and returns session as Cookie which is stored on agent (web browser).
8. The agent invokes HTTP request with authenticated Session Cookie.