3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: rm broken link (#2215)

Browse source 
* docs: rm broken link

The was the only image on this page that was also a link to the image, which failed with a 404 (which is the default Nginx 404 page, BTW).

* fmt and typo

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Alex Fornuto 2021-05-20 23:13:41 -05:00 committed by GitHub
parent 38a7591395
commit 8c56d64f31
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
docs/docs/architecture.md
View file

@ -4,38 +4,44 @@ lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: >-
pomerium architecture
content: pomerium architecture
---
## Architecture
# Architecture
### System Level
## System Level
Pomerium sits between end users and services requiring strong authentication. After verifying identity with your identity provider (IdP), Pomerium uses a configurable policy to decide how to route your user's request and if they are authorized to access the service.
![pomerium architecture diagram](./img/pomerium-system-context.svg)
### Component Level
## Component Level
Pomerium is composed of 4 logical components:
- Proxy Service
- All user traffic flows through the proxy
- Verifies all requests with Authentication service
- Directs users to Authentication service to establish session identity
- Processes policy to determine external/internal route mappings
- Authentication Service
- Handles authentication flow to your IdP as needed
- Handles identity verification after initial Authentication
- Establishes user session cookie
- Stores user OIDC tokens in databroker service
- Authorization Service
- Processes policy to determine permissions for each service
- Handles authorization check for all user sessions
- Directs Proxy service to initiate Authentication flow as required
- Provides additional security releated headers for upstream services to consume
- Provides additional security related headers for upstream services to consume
- Data Broker Service
- Retrieves identity provider related data such as group membership
- Stores and refreshes identity provider access and refresh tokens
- Provides streaming authoritative session and identity data to Authorize service
@ -47,10 +53,10 @@ In test deployments, all four components may run from a single binary and config
![pomerium architecture diagram](./img/pomerium-container-context.svg)
### Authentication Flow
## Authentication Flow
Pomerium's internal and external component interactions during full authentication from a fresh user are diagramed below.
After initial authentication to provide a session token, only the authorization check interactions occur.
[![pomerium architecture diagram](./img/pomerium-auth-flow.svg)](/pomerium-auth-flow.svg)
![pomerium architecture diagram](./img/pomerium-auth-flow.svg)]