Authentication-workflow.md

+1. the user goes to a RAP client application and click on the login button;
+2. the client application sends a POST request to RAP, specifying the callback URL;
+3. the user selects the authentication method he or she prefers or join identities;
+4. the user inserts the credentials or uses a certificate;
+5. login data (SAML response, X.509 parsed data or OAuth2 access token) returns
+to RAP;
+6. RAP checks if the user information is already stored into the database,
+otherwise the user is registered and a new user ID is assigned to he/she;
+7. a temporary token associated to the user ID is stored into the database;
+8. RAP redirects to the callback URL adding the token as a query parameter;
+9. the client application receives the token and use it to retrieve user information
+from the RAP web service;
+10. the token is deleted; unused tokens are deleted in a few minutes in any case;
+
+### OAuth2 login
+
+![rap_oauth](/uploads/51bc4aaeb3b8cd5009fb9156eeab20a0/rap_oauth.png)
+
+### SAML login
+
+![rap_saml](/uploads/b2ee6a657e7279a6c5dd100a43e76b37/rap_saml.png)
+
+### X.509 login
+
+![rap_x509](/uploads/f7c960347ed3509ed618482564809b69/rap_x509.png)
\ No newline at end of file