# IAM App Auth Process ## App initialization of iam-client-lib ```mermaid sequenceDiagram participant iam as iam-client-lib participant cache as iam-cache-server autonumber iam->>cache: try to make some request to cache-server alt 401 or 403 not received cache->>iam: auth token is still valid. cache-server returns requested data else 401 or 403 received iam->>iam: add request to failed request array alt is client already authenticating else end iam->>iam: get pubkey from signature and put in local-storage iam->>cache: Make request to login endpoint with identityToken cache->>iam: return access_token + refresh_token as cookies (and reponse body) end ``` ## App login to its backend The app backend is using passport-did-auth. Note: this section is a work in progress, see https://github.com/energywebfoundation/iam-client-examples/pull/10 . Other methods could be used by app backends. Note: Switchboard does not do this section as it does not login to a backend. ```mermaid sequenceDiagram participant app as app frontend participant iam as iam-client-lib participant pass as passport-did-auth Note over pass: This the passport-did-auth of the app backend autonumber app->>iam: initialize iam-client-lib iam->>app: Return did and, possibly, identityToken alt identityToken is NOT returned to app from iam-client-lib initialization app->>app: assume that login to app is done else identityToken is returned to app from iam-client-lib initialization app->>pass: Post identityToken to app backend's login endpoint pass->>app: return auth cookie to the browser end ``` ## Passport-did-auth authenticate to cache-server Passport-did-auth (LoginStrategy) itself uses the iam-cache-server and so must login to the cache-server as well. TODO: make sequence diagram