title: Authorization Code Grant

note left of Alice's Browser: Authorization
note over Decentphotos Server: 1. Has a public/private keypair
note over Decentphotos WebID: 1. Has pub key cert
note over Alice's Browser: 2. Alice navigates to decentphotos.example
Alice's Browser->Decentphotos Server: 3. Retrieves webpage with session
Decentphotos Server->Alice's Browser:
note over Alice's Browser: 4. Alice selets her OP or WebID
Alice's Browser->Decentphotos Server: 5. Requests login with OP / WebID
Decentphotos Server->Alice's Pod (RS): 5.1 Retrieve Profile
Alice's Pod (RS)->Decentphotos Server:
Decentphotos Server->Alice's OP: 6. Requests OP configuration
Alice's OP->Decentphotos Server:
Decentphotos Server->Alice's OP: 7. Requests OP JWKS
Alice's OP->Decentphotos Server:
Decentphotos Server->Alice's Browser: 8. Redirects to Auth endpoint
Alice's Browser->Alice's OP: 9. Authorization Request
note over Alice's OP: 10. Gets Alice's consent
Alice's OP->Alice's Browser: 11. Returns to redirect_url with access_code
Alice's Browser-> Decentphotos Server: 12. Transfers Access Code
Decentphotos Server->Alice's OP: 13. Auth request with proof of private key
Alice's OP->Decentphotos WebID: 14. Retrieves app WebID
Decentphotos WebID->Alice's OP:
note over Alice's OP: 15. Validates cert with WebID
note over Alice's OP: 16. Generates an access_code
Alice's OP->Decentphotos Server: 17. Returns access_code and refresh_token

note left of Alice's Browser: SENDING REQUEST
Alice's Browser->Decentphotos Server: 1. Sends Request details
note over Decentphotos Server: 2. Creates a pop_token
Decentphotos Server->Bob's Pod (RS): 3. Request sent
note over Bob's Pod (RS): 4. Checks pop_token Audience
note over Bob's Pod (RS): 5. Checks client signature
Bob's Pod (RS)->Alice's Pod (RS): 6. Retrieves Profile
Alice's Pod (RS)->Bob's Pod (RS):
note over Bob's Pod (RS): 7. Checks Issuer
Bob's Pod (RS)->Alice's OP: 8. Retrieves OP configuration
Alice's OP->Bob's Pod (RS):
Bob's Pod (RS)->Alice's OP: 9. Requests JWKS
Alice's OP->Bob's Pod (RS):
note over Bob's Pod (RS): 10. Performs Authentication
note over Bob's Pod (RS): 11. Performs Authorization
Bob's Pod (RS)->Decentphotos Server: 12. Returns Result
Decentphotos Server->Alice's Browser: 13. Returns result

note left of Alice's Browser: REFRESH pop_token
Bob's Pod (RS)->Decentphotos Server: 1. 401: token expired
Decentphotos Server->Alice's OP: 2. Refresh token auth request
Alice's OP->Decentphotos Server: 3. Return updated token