Skip to content

Commit 4590ce2

Browse files
pktikkanipktikkani
committed
Updated architecture
1 parent b64c893 commit 4590ce2

1 file changed

Lines changed: 77 additions & 0 deletions

File tree

docs/ARCHITECTURE.md

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -358,6 +358,83 @@ const validAudiences = [
358358

359359
SPFx uses `AadHttpClient.getClient(clientId)` which results in tokens with the raw client ID as the audience.
360360

361+
### Detailed SPFx-to-API Authentication Flow
362+
363+
This diagram shows the complete authentication flow from when the SPFx web part loads in SharePoint to when the API validates the request and returns data.
364+
365+
```
366+
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────────┐
367+
│ SPFx WebPart │ │ Azure AD │ │ auditsphere-api │
368+
│ (SharePoint) │ │ │ │ (Railway) │
369+
└────────┬────────┘ └────────┬─────────┘ └──────────┬──────────┘
370+
│ │ │
371+
│ 1. Request token │ │
372+
│ for resource: │ │
373+
│ eca12ded-8416-... │ │
374+
│ scope: │ │
375+
│ access_as_user │ │
376+
│──────────────────────▶│ │
377+
│ │ │
378+
│ 2. Return JWT │ │
379+
│ aud: eca12ded-... │ │
380+
│ scp: access_as_ │ │
381+
│ user │ │
382+
│◀──────────────────────│ │
383+
│ │ │
384+
│ 3. Call API with Authorization: Bearer <token> │
385+
│─────────────────────────────────────────────────▶│
386+
│ │ │
387+
│ │ 4. Fetch JWKS keys │
388+
│ │◀─────────────────────────│
389+
│ │ │
390+
│ │ 5. Return public keys │
391+
│ │─────────────────────────▶│
392+
│ │ │
393+
│ │ 6. Validate: │
394+
│ │ - JWT signature │
395+
│ │ (RS256) │
396+
│ │ - audience = │
397+
│ │ eca12ded-... │
398+
│ │ - issuer = │
399+
│ │ tenant ID │
400+
│ │ - not expired │
401+
│ │ │
402+
│ │ 7. Extract user: │
403+
│ │ - email from │
404+
│ │ preferred_ │
405+
│ │ username │
406+
│ │ - id from oid │
407+
│ │ │
408+
│ │ 8. Find/create │
409+
│ │ user in DB │
410+
│ │ │
411+
│ 9. Return data │
412+
│◀─────────────────────────────────────────────────│
413+
│ │ │
414+
```
415+
416+
**Key Points:**
417+
418+
1. **SPFx Permission Request**: The `webApiPermissionRequests` in `config/package-solution.json` declares that the SPFx solution needs access to the API:
419+
```json
420+
"webApiPermissionRequests": [{
421+
"resource": "eca12ded-8416-41fd-ac0a-ffaccb1ecb04",
422+
"scope": "access_as_user"
423+
}]
424+
```
425+
426+
2. **Admin Consent**: When the `.sppkg` is deployed, a SharePoint admin must approve this permission request in the SharePoint Admin Center → API Access.
427+
428+
3. **Token Acquisition**: SPFx uses `AadHttpClient` to silently acquire tokens:
429+
```typescript
430+
const client = await this.context.aadHttpClientFactory.getClient('eca12ded-8416-41fd-ac0a-ffaccb1ecb04');
431+
const response = await client.get(apiUrl, AadHttpClient.configurations.v1);
432+
```
433+
434+
4. **JWKS Caching**: The API caches Azure AD's public keys for 24 hours to avoid repeated JWKS fetches.
435+
436+
5. **User Auto-Creation**: If a valid token is received but the user doesn't exist in the database, they are automatically created with a default `viewer` role.
437+
361438
### Context Creation
362439

363440
```typescript

0 commit comments

Comments
 (0)