# IAM App Auth Process
## App initialization of iam-client-lib
```mermaid
sequenceDiagram
participant iam as iam-client-lib
participant cache as iam-cache-server
autonumber
iam->>cache: try to make some request to cache-server
alt 401 or 403 not received
cache->>iam: auth token is still valid. cache-server returns requested data
else 401 or 403 received
iam->>iam: add request to failed request array
alt is client already authenticating
else
end
iam->>iam: get pubkey from signature and put in local-storage
iam->>cache: Make request to login endpoint with identityToken
cache->>iam: return access_token + refresh_token as cookies (and reponse body)
end
```
## App login to its backend
The app backend is using passport-did-auth.
Note: this section is a work in progress, see https://github.com/energywebfoundation/iam-client-examples/pull/10 . Other methods could be used by app backends.
Note: Switchboard does not do this section as it does not login to a backend.
```mermaid
sequenceDiagram
participant app as app frontend
participant iam as iam-client-lib
participant pass as passport-did-auth
Note over pass: This the passport-did-auth of the app backend
autonumber
app->>iam: initialize iam-client-lib
iam->>app: Return did and, possibly, identityToken
alt identityToken is NOT returned to app from iam-client-lib initialization
app->>app: assume that login to app is done
else identityToken is returned to app from iam-client-lib initialization
app->>pass: Post identityToken to app backend's login endpoint
pass->>app: return auth cookie to the browser
end
```
## Passport-did-auth authenticate to cache-server
Passport-did-auth (LoginStrategy) itself uses the iam-cache-server and so must login to the cache-server as well.
TODO: make sequence diagram