|
| 1 | +--- |
| 2 | +title: Third-party login |
| 3 | +tx_slug: documentation_reference_qfieldcloud_sso_auth |
| 4 | +--- |
| 5 | + |
| 6 | +# Third-party authentication |
| 7 | + |
| 8 | +QFieldCloud and QField / QFieldSync clients allow authentication using regular login and password, for a user that is already registered on QFieldCloud. |
| 9 | + |
| 10 | +It is also possible to authenticate using a third-party identity provider (e.g. Google, [OpenID Connect](https://openid.net/developers/how-connect-works/)). |
| 11 | + |
| 12 | +Here is a sequence diagram of how a third-party login happens in QFieldCloud (in the browser): |
| 13 | + |
| 14 | +```mermaid |
| 15 | +sequenceDiagram |
| 16 | + autonumber |
| 17 | +
|
| 18 | + actor User |
| 19 | + participant QFC as QFieldCloud |
| 20 | +
|
| 21 | + User ->> QFC: Access login page |
| 22 | + QFC -->> User: Display login form with configured third-party login buttons |
| 23 | +
|
| 24 | + User ->> QFC: Click third-party login button |
| 25 | +
|
| 26 | + QFC ->> IDP: Redirect to IDP for login |
| 27 | + IDP -->> User: Display IDP's login form |
| 28 | +
|
| 29 | + User ->> IDP: Log in using IDP's credentials |
| 30 | + destroy IDP |
| 31 | +
|
| 32 | + IDP ->> QFC: Redirect back with auth details |
| 33 | +
|
| 34 | + alt User does not already have a QFieldCloud account |
| 35 | + note over QFC: QFieldCloud account is created using IDP auth details |
| 36 | + end |
| 37 | +
|
| 38 | + QFC -->> User: User is logged in |
| 39 | +``` |
| 40 | + |
| 41 | +Here is a sequence diagram of how third-party authentication happens in QField and QFieldSync: |
| 42 | + |
| 43 | +```mermaid |
| 44 | +sequenceDiagram |
| 45 | + autonumber |
| 46 | +
|
| 47 | + participant IDP as Identity Provider |
| 48 | + actor User |
| 49 | + participant QF as QField / QFieldSync |
| 50 | + participant QFC as QFieldCloud |
| 51 | +
|
| 52 | + User ->>+ QF: Open the QFieldCloud login dialog |
| 53 | +
|
| 54 | + QF ->> QFC: Ask for configured third-party ID providers |
| 55 | + QFC -->> QF: Answer with the list of configured third-party ID providers |
| 56 | + QF -->>- User: Display a button for each third-party ID provider |
| 57 | +
|
| 58 | + User ->>+ QF: Click on 'Login with XYZ' provider button |
| 59 | +
|
| 60 | + Note over QF: A QgsAuthMethodConfig of type OAuth2 is created<br/>QGIS auth manager recognizes that the user is not authenticated yet<br/> QGIS auth manager then redirects to the IDP for authenticating the user |
| 61 | +
|
| 62 | + QF ->>+ IDP: Redirect to IDP for login |
| 63 | + IDP -->> User: Display IDP's login form in a browser |
| 64 | + User ->> IDP: Log in using IDP's credentials in the browser |
| 65 | + IDP ->>- QF: Answer with auth details and an id_token token |
| 66 | +
|
| 67 | + QF ->>+ QFC: Ask for current user's informations |
| 68 | + Note over QF,QFC: The id_token provided by IDP is in in the X-QFC-ID-Token HTTP header<br/>The IDP provider type (e.g. "google") is in the X-QFC-IDP-ID header |
| 69 | +
|
| 70 | + QFC -->>- QF: Answer with user information (username, avatar, etc.) |
| 71 | + QF -->>- User: User is logged in and authenticated |
| 72 | +
|
| 73 | + loop send HTTP regular requests (e.g. file synchronization) |
| 74 | + QF ->> QFC: Send a request (e.g. file Download/Upload) |
| 75 | + Note over QF,QFC: The id_token provided by IDP is in in the X-QFC-ID-Token HTTP header<br/>The IDP provider type (e.g. "google") is in the X-QFC-IDP-ID header |
| 76 | + QFC -->> QF: Reply to the request |
| 77 | + end |
| 78 | +
|
| 79 | + loop refresh token regularly |
| 80 | + QF ->> IDP: Ask for a new token |
| 81 | + IDP -->> QF: Send a refreshed token |
| 82 | + end |
| 83 | +``` |
0 commit comments