Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7e8f1057 authored by Jonathan Klee's avatar Jonathan Klee
Browse files

chore: Bootstrap SSO documentation

parent 74ce6e1d

README.md

+1 −0
Original line number Diff line number Diff line
@@ -36,3 +36,4 @@ The most important libraries which are used by DAVx⁵ (alphabetically): 
* [okhttp](https://square.github.io/okhttp)[Apache License, Version 2.0](https://square.github.io/okhttp/#license)



See _About / Libraries_ in the app for all used libraries and their licenses.

doc/sso/README.md

0 → 100644
+77 −0
Original line number Diff line number Diff line 
# Murena ID in /e/OS Account Manager



## Overview



/e/OS Account Manager simplifies user authentication across /e/OS services with an uniq Murena ID, especially for **Murena Workspace** accounts. Users log in once to access multiple services (email, drive, calendar, contacts, etc.) without repeated credential entry, enhancing both security and user experience.



```mermaid

sequenceDiagram

    participant User

    participant AccountManager as /e/OS AccountManager

    participant IdP as Identity Provider (OIDC Server)

    participant ResourceServer as Murena Workspace



    User->>AccountManager: Initiates login

    AccountManager->>IdP: Redirects to identity provider for authentication

    IdP-->>User: Presents login page

    User->>IdP: Enters credentials

    IdP->>IdP: Validates credentials

    IdP-->>User: Returns authorization code

    User->>AccountManager: Authorization code

    AccountManager->>IdP: Exchanges code for ID token, refresh token & access token

    IdP-->>AccountManager: Returns ID token, refresh token & access token

    AccountManager->>ResourceServer: Requests resource with access token

    ResourceServer-->>AccountManager: Returns protected resource

    AccountManager-->>User: Grants access to services

```



## Communication between /e/OS AccountManager and Android AccountManager



When a user has logged in, **/e/OS Account Manager** stores the access token in a JSON `AuthState` and save the latter in the **Android AccountManager**:



```mermaid

sequenceDiagram

    participant eAM as /e/OS AccountManager

    participant AM as android.os.AccountManager



    eAM->>+AM: setUserData(account, "auth_state", AuthState)

```



## Communication between clients and /e/OS AccountManager



A **client** (e.g. Mail, Calendar, eDrive etc) who wants to communication with **MurenaWorkspace** will first need to get an access token stored in **Android AccountManager**:



```mermaid

sequenceDiagram

    participant Mail

    participant AM as android.os.AccountManager

    Mail->>+AM: getUserData(account, "auth_state")

    AM-->>-Mail: AuthState (JSON containing the access token)

```





## Communication between clients and MurenaWorkspace



This client will integrate the access token in its HTTP requests:



`Authorization: Bearer <client_access_token>`



### Mail



```mermaid

sequenceDiagram

    participant Mail

    participant MW as MurenaWorkspace



    Mail->>+MW: SMTP Request with `Authorization: Bearer <access_token>` header

```



### eDrive



```mermaid

sequenceDiagram

    participant eDrive

    participant MW as MurenaWorkspace



    eDrive->>+MW: HTTP Request with `Authorization: Bearer <access_token>` header

```