kych

token_sequence.txt (3692B)

---

 sequenceDiagram
     participant Client
     participant KyCH OAuth2 Gateway
     participant KyCH OAuth2 Gateway DB
 
     Client ->> KyCH OAuth2 Gateway: POST /token\nContent-Type: application/x-www-form-urlencoded\ngrant_type=authorization_code&\ncode={code}&\nclient_id={client_id}&\nclient_secret={client_secret}&\nredirect_uri={redirect_uri}
 
     KyCH OAuth2 Gateway ->> KyCH OAuth2 Gateway: Validate grant_type ==\n'authorization_code'
 
     alt Invalid grant type
         KyCH OAuth2 Gateway -->> Client: 400 BAD REQUEST\n{error: 'unsupported_grant_type'}
     else Valid grant type
         KyCH OAuth2 Gateway ->> KyCH OAuth2 Gateway DB: SELECT id, secret_hash\nFROM clients WHERE client_id = $1
 
         alt Client not found or invalid secret
             KyCH OAuth2 Gateway -->> Client: 401 UNAUTHORIZED\n{error: 'invalid_client'}
         else Client authenticated
             KyCH OAuth2 Gateway ->> KyCH OAuth2 Gateway DB: WITH code_data AS (\n  SELECT id, used AS was_already_used, session_id\n  FROM authorization_codes\n  WHERE code = $1 AND expires_at > NOW()\n  FOR UPDATE\n),\nupdated_code AS (\n  UPDATE authorization_codes ac\n  SET used = TRUE,\n      used_at = CASE WHEN NOT ac.used THEN NOW() ELSE ac.used_at END\n  FROM code_data cd\n  WHERE ac.id = cd.id\n  RETURNING ac.id, ac.session_id\n)\nSELECT uc.id AS code_id,\n  cd.was_already_used,\n  uc.session_id,\n  vs.status AS session_status,\n  vs.client_id,\n  vs.redirect_uri,\n  at.token AS existing_token,\n  at.expires_at AS token_expires_at\nFROM updated_code uc\nJOIN code_data cd ON uc.id = cd.id\nJOIN verification_sessions vs ON vs.id = uc.session_id\nLEFT JOIN access_tokens at\n  ON at.session_id = vs.id AND at.revoked = FALSE
 
             alt No code found or DB error
                 KyCH OAuth2 Gateway DB -->> KyCH OAuth2 Gateway: 0 rows / Error
                 KyCH OAuth2 Gateway -->> Client: Error Response:\n- 400 BAD REQUEST {error: 'invalid_grant'}\n- 500 INTERNAL SERVER ERROR
             else Code found
                 KyCH OAuth2 Gateway DB -->> KyCH OAuth2 Gateway: code, session, and token data
 
                 KyCH OAuth2 Gateway ->> KyCH OAuth2 Gateway: Validate:\n- code belongs to client\n- redirect_uri matches stored value\n- code not already used\n- session status == 'verified'
 
                 alt Token already exists (idempotent)
                     KyCH OAuth2 Gateway -->> Client: 200 OK\n{access_token: existing_token,\ntoken_type: 'Bearer', expires_in: 3600}
                 else Invalid state
                     KyCH OAuth2 Gateway -->> Client: 400 BAD REQUEST\n{error: 'invalid_grant'}\n- Code belongs to different client\n- redirect_uri mismatch\n- Code already used\n- Session not verified
                 else Valid - create token
                     KyCH OAuth2 Gateway ->> KyCH OAuth2 Gateway: generate_access_token()
 
                     KyCH OAuth2 Gateway ->> KyCH OAuth2 Gateway DB: WITH updated AS (\n  UPDATE verification_sessions\n  SET status = 'completed', completed_at = NOW()\n  WHERE id = $1 RETURNING id\n)\nINSERT INTO access_tokens\n(session_id, token, expires_at)\nVALUES ($1, $2, NOW() + INTERVAL '1 hour')\nRETURNING token, expires_at
 
                     alt Error
                         KyCH OAuth2 Gateway DB -->> KyCH OAuth2 Gateway: Error
                         KyCH OAuth2 Gateway -->> Client: 500 INTERNAL SERVER ERROR
                     else Success
                         KyCH OAuth2 Gateway DB -->> KyCH OAuth2 Gateway: token, expires_at
                         KyCH OAuth2 Gateway -->> Client: 200 OK\n{access_token, token_type: 'Bearer', expires_in: 3600}
                     end
                 end
             end
         end
     end