Merge pull request #20 from trade-tariff/FPO-134-flow-for-client-cred…

…entials FPO-134: Adds sequence diagram for client credentials
trade-tariff · Apr 2, 2024 · 0388204 · 0388204
2 parents 4843c49 + eb5e3e1
commit 0388204
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -1,3 +1,23 @@
 # trade-tariff-fpo-developer-hub
 
 Express app giving FPO operators the ability to manage their own API credentials.
+
+## Authentication
+
+When this backend app is deployed to ECS we enable client credentials authentication using Cognito User Pools
+
+```mermaid
+sequenceDiagram
+participant Client Application
+participant Cognito Authorization Server
+participant Protected Resource / API
+
+Client Application->>Cognito Authorization Server: Request Access Token (Client ID, Client Secret)
+Cognito Authorization Server->>Cognito Authorization Server: Validate Credentials
+Cognito Authorization Server->>Client Application: Access Token 
+Client Application->>Protected Resource / API: API Request (Access Token)
+Protected Resource / API->>Protected Resource / API: Validate Token
+Protected Resource / API->>Client Application: API Response 
+```
+
+Access tokens need to be refreshed by the client and the backend decodes/verifies the JWT in the Authorisation header.