Swimlanes.io is a free webapp for making sequence diagrams. You simply edit the text on the left and the diagram is updated in real time. You can download your sequence diagrams as images or distribute with a link.
Title: Back-End for Native Mobile Application User -> Mobile App: Visits RP native mobile app Mobile App -> Mobile App: Generates PKCE `code_pair` Mobile App -> Native Browser: Opens up ASWebAuthenticationSession (iOS) or Custom Tabs (Android) _: **1. User Authorization** Native Browser -> RP Server: GET /auth/login?code_challenge=xx* note RP Server, RP Server: RP Server to generate `authorization_url` containing all the necessary query parameters including PKCE's `code_challenge`. RP Server -> Native Browser: `HTTP 302` note: RP Server responds with `HTTP 302` to `authorization_url` Native Browser -> sgID Server: Redirect user to `/oauth/authorize` endpoint sgID Server -> sgID Server: Renders sgID QR Code User --> sgID Server: Clicks on QR Code and approve with Singpass Mobile Application sgID Server -> Native Browser: `HTTP 302` note: sgID Server responds with `HTTP 302` to the supplied `redirect_uri` Native Browser -> Mobile App: Opens up mobile app through deep links note: Universal links for iOS and Web links for android. `code` and `state` are passed in query parameters. Mobile App -> RP Server: GET /auth/callback?code=xx&state=xx&code_verifier=code* RP Server -> sgID Server: POST /oauth/token sgID Server -> RP Server: `HTTP 200` note: Response body contains `id_token` and `access_token`. Verification of `id_token` can be done through JWT Signature verification against sgID Server's `/.well-known/jwks.json` RP Server -> sgID Server: GET /oauth/userinfo sgID Server -> RP Server: `HTTP 200` note: Response body contains encrypted data which can be decrypted using RP's private key. _: **2. Mobile App Authentication** note User, sgID Server: Once user has authorized RP Server to obtain their user information, RP Server will then need to authenticate the Mobile App and associate the session with a particular user. We recommend token-based authentication.