# OIDC protocol

The OIDC protocol involves the following entities:

* the **end user**, who is trying to do something
* the **web browser**, used by the user
* the **web application**, which the user uses to do things, and as
  part of that access resources
* the **resource provider**, where the resources are, and which allows
  access to them via a web API
* the **identity provider**, which authenticates the user

~~~plantuml
@startuml
user -> browser : clicks on something
browser -> app : GET /something
browser <- app : redirect to /login
browser -> app : GET /login
browser <- app: redirect to idp
browser -> idp : GET /login
browser <- idp : login form
user <- browser : show login form
user -> browser : enter login info
browser -> idp : POST login form
browser <- idp : redirect to app /callback with authz code
browser -> app : GET /callback with authz code
app -> idp : request tokens using authz code
app <- idp : access, id, and refresh tokens
app -> rp : access resource with access token
app <- rp : resource
browser <- app : page with resource
user <- browser : show what the user wanted
@enduml
~~~

---
title: Yuck or OIDC
...