Token Based Authentication With External Identity Provider (3PO)

Here is how your service can authenticate requests using tokens issued by an external identity provider:

sequenceDiagram
    participant Client
    participant Server
    participant IdentityProvider

    Client->>Server: Request without token
    Server-->>Client: 401 Unauthorized, redirect to IdentityProvider
    Client->>IdentityProvider: Login
    IdentityProvider-->>Client: JWT Token
    Client->>Server: Request with token
    Note right of Server: Server verifies token signature using public key from IdentityProvider
    alt Token valid
        Server-->>Client: Access granted
    else Token invalid
        Server-->>Client: 401 Unauthorized
    end

This is also refered to as “third-party authentication” (3PO).