Skip to content

Commit 1386cfd

Browse files
pktikkanipktikkani
committed
Updated architecture
1 parent 071895a commit 1386cfd

1 file changed

Lines changed: 77 additions & 0 deletions

File tree

docs/ARCHITECTURE.md

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -362,6 +362,83 @@ const validAudiences = [
362362

363363
SPFx uses `AadHttpClient.getClient(clientId)` which results in tokens with the raw client ID as the audience.
364364

365+
### Detailed SPFx-to-API Authentication Flow
366+
367+
This diagram shows the complete authentication flow from when the SPFx web part loads in SharePoint to when the API validates the request and returns data.
368+
369+
```
370+
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────────┐
371+
│ SPFx WebPart │ │ Azure AD │ │ auditsphere-api │
372+
│ (SharePoint) │ │ │ │ (Railway) │
373+
└────────┬────────┘ └────────┬─────────┘ └──────────┬──────────┘
374+
│ │ │
375+
│ 1. Request token │ │
376+
│ for resource: │ │
377+
│ eca12ded-8416-... │ │
378+
│ scope: │ │
379+
│ access_as_user │ │
380+
│──────────────────────▶│ │
381+
│ │ │
382+
│ 2. Return JWT │ │
383+
│ aud: eca12ded-... │ │
384+
│ scp: access_as_ │ │
385+
│ user │ │
386+
│◀──────────────────────│ │
387+
│ │ │
388+
│ 3. Call API with Authorization: Bearer <token> │
389+
│─────────────────────────────────────────────────▶│
390+
│ │ │
391+
│ │ 4. Fetch JWKS keys │
392+
│ │◀─────────────────────────│
393+
│ │ │
394+
│ │ 5. Return public keys │
395+
│ │─────────────────────────▶│
396+
│ │ │
397+
│ │ 6. Validate: │
398+
│ │ - JWT signature │
399+
│ │ (RS256) │
400+
│ │ - audience = │
401+
│ │ eca12ded-... │
402+
│ │ - issuer = │
403+
│ │ tenant ID │
404+
│ │ - not expired │
405+
│ │ │
406+
│ │ 7. Extract user: │
407+
│ │ - email from │
408+
│ │ preferred_ │
409+
│ │ username │
410+
│ │ - id from oid │
411+
│ │ │
412+
│ │ 8. Find/create │
413+
│ │ user in DB │
414+
│ │ │
415+
│ 9. Return data │
416+
│◀─────────────────────────────────────────────────│
417+
│ │ │
418+
```
419+
420+
**Key Points:**
421+
422+
1. **SPFx Permission Request**: The `webApiPermissionRequests` in `config/package-solution.json` declares that the SPFx solution needs access to the API:
423+
```json
424+
"webApiPermissionRequests": [{
425+
"resource": "eca12ded-8416-41fd-ac0a-ffaccb1ecb04",
426+
"scope": "access_as_user"
427+
}]
428+
```
429+
430+
2. **Admin Consent**: When the `.sppkg` is deployed, a SharePoint admin must approve this permission request in the SharePoint Admin Center → API Access.
431+
432+
3. **Token Acquisition**: SPFx uses `AadHttpClient` to silently acquire tokens:
433+
```typescript
434+
const client = await this.context.aadHttpClientFactory.getClient('eca12ded-8416-41fd-ac0a-ffaccb1ecb04');
435+
const response = await client.get(apiUrl, AadHttpClient.configurations.v1);
436+
```
437+
438+
4. **JWKS Caching**: The API caches Azure AD's public keys for 24 hours to avoid repeated JWKS fetches.
439+
440+
5. **User Auto-Creation**: If a valid token is received but the user doesn't exist in the database, they are automatically created with a default `viewer` role.
441+
365442
### Context Creation
366443

367444
```typescript

0 commit comments

Comments
 (0)