new mobile_auth.puml

gematik · Jun 10, 2024 · cfae4b2 · cfae4b2
1 parent 4607730
commit cfae4b2
Show file tree

Hide file tree

Showing 2 changed files with 120 additions and 21 deletions.
diff --git a/src/plantuml/mobile_auth.puml b/src/plantuml/mobile_auth.puml
@@ -0,0 +1,103 @@
+@startuml "Mobile_Auth_with_DPoP"
+autonumber "(00)"
+skinparam defaultFontSize 10
+skinparam defaultFontName Helvetica
+skinparam DefaultMonospacedFontName Courier
+skinparam lengthAdjust none
+
+!pragma teoz true
+
+actor N as "Nutzer"
+participant Client as "mobile\nClient"
+participant IDP as "IDP"
+box "Betreiber" #TECHNOLOGY
+    box "ZT Cluster" #SandyBrown
+        participant AS as "PEP\nAuthorization Server" 
+        participant HP as "PEP\nhttp Proxy"
+        participant PDP as "PDP"
+    endbox
+    box TI 2.0 Dienst #DarkSeaGreen
+        participant RS as "Resource Server"
+    endbox
+end box
+
+N -> Client
+activate Client
+alt Client has no Authorization Server FQDN
+    Client -> HP: GET /resource
+    activate HP
+    HP --> Client: 401 Unauthorized; json body with Well-Known json Document (RFC8414)
+    deactivate HP
+else Client has Authorization Server FQDN
+    Client -> HP: GET /.well-known/oauth-authorization-server 
+    activate HP
+    HP --> Client: 200 OK; json body with Well-Known json Document (RFC8414)
+    deactivate HP
+end
+
+Client -> Client: generate DPoP keypair
+alt Client has no valid refrash token
+Client -> AS: GET /nonce
+activate AS
+AS --> Client: return 200 OK new-nonce: nonce
+
+Client -> Client: Retrieve IDP list (from /idp.app.ti-dienste.de/directory/fed_idp_list)
+Client -> Client: Select IDP
+Client -> AS: GET /auth (selected_idp)
+AS -> IDP: POST /par (client_id, state, redirect_uri\n\
+code_challenge, code_challenge_method, response_type=code,\n\
+nonce, scope, acr_values)
+activate IDP
+IDP --> AS: 200 OK,\n\
+(request_uri, expires_in)
+AS --> Client: 302 Redirect (location: IDP authorization_endpoint, request_uri)
+Client -> IDP: GET /authorize (request_uri)
+group #White User Authentication and consent 
+IDP -> Client: Challenge (Consent Page)
+Client -> N: 
+N --> Client: 
+Client --> IDP: Challenge response
+end
+IDP --> Client: 200 OK, (code, state)
+Client -> AS: POST /token (code, grant_type=authorization_code,\n\
+redirect_uri, code_verifier)
+AS -> IDP: POST /token (code, grant_type=authorization_code,\n\
+redirect_uri, code_verifier)
+IDP --> AS: 200 OK, (id_token)
+deactivate IDP
+
+AS -> AS: verify id_token
+AS -> AS: Create state for Identity/App/Device
+else Client has valid Refresh token
+Client -> AS: POST /token\n\
+  (Refresh token and DPoP JWT)
+AS -> AS: verify Refresh token, DPoP
+AS -> AS: invalidate Refresh token
+end
+
+AS -> PDP: POST /v1/data/authz, json body {  "input": {...}} 
+activate PDP
+PDP --> AS: 200 OK, json body {"result": {"allow": true, ...}}
+deactivate PDP
+AS -> AS: issue Access and Refresh token with DPoP Binding
+AS --> Client: 200 OK, Access token, Refresh token, bound to DPoP
+deactivate AS
+Client -> Client: Create DPoP Proof for RS
+
+Client -> HP: GET /resource (Access token, DPoP Proof)
+activate HP
+HP -> HP: verify access token and\nDPoP Binding
+HP -> RS: forward GET /resource\n\
+(access token, DPoP)
+activate RS
+RS -> RS: provide\n\
+resource\n\
+access
+RS --> HP: 200 OK, resource
+deactivate RS
+HP --> Client: 200 OK, resource
+deactivate HP
+deactivate RS
+deactivate Client
+
+@enduml
diff --git a/src/plantuml/sm-b-auth.puml b/src/plantuml/sm-b-auth.puml
@@ -15,7 +15,7 @@ end box
 
 box "Betreiber" #TECHNOLOGY
     box "ZT Cluster" #SandyBrown
-        participant AuthS as "PEP\nAuthorization Server" 
+        participant AS as "PEP\nAuthorization Server" 
         participant HP as "http Proxy"
         participant PDP as "PDP"
     endbox
@@ -39,9 +39,9 @@ end
 
 Client -> Client: generate DPoP keypair
 alt Client has no valid refrash token
-Client -> AuthS: GET /nonce
-activate AuthS
-AuthS --> Client: return 200 OK new-nonce: nonce
+Client -> AS: GET /nonce
+activate AS
+AS --> Client: return 200 OK new-nonce: nonce
 Client -> Client: create Client Assertion JWT with nonce\n  Client and OS Information\n  DPoP Thumbprint
 Client -> Konnektor: externalAuthenticate JWT-hash
 activate Konnektor
@@ -55,31 +55,27 @@ deactivate Konnektor
 Client -> Client: add SM-B Signature to Client Assertion JWT\n\
 cC4h... (Client Assertion JWT)
 Client -> Client: create DPoP Proof JWT with nonce
-Client -> AuthS: POST /token\n\
-  (Client Assertion JWT and DPoP JWT)\n\
-  ""DPoP: eyJh...""\n\
-  ""grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer""\n\
-  ""assertion=cC4h...""\n\
-  ""scope=...""
-note left of AuthS
+Client -> AS: POST /token\n\
+  (Client Assertion JWT and DPoP JWT)
+note left of AS
   RFC7523 (JWT Client Assertion), RFC9449 (DPoP)
 end note
-AuthS -> AuthS: verify Client Assertion JWT and DPoP JWT
-AuthS -> AuthS: Create state for Identity/App/Device
+AS -> AS: verify Client Assertion JWT and DPoP JWT
+AS -> AS: Create state for Identity/App/Device
 else Client has valid Refresh token
-Client -> AuthS: POST /token\n\
+Client -> AS: POST /token\n\
   (Refresh token and DPoP JWT)
-AuthS -> AuthS: verify Refresh token, DPoP
-AuthS -> AuthS: invalidate Refresh token
+AS -> AS: verify Refresh token, DPoP
+AS -> AS: invalidate Refresh token
 end
 
-AuthS -> PDP: POST /v1/data/authz, json body {  "input": {...}} 
+AS -> PDP: POST /v1/data/authz, json body {  "input": {...}} 
 activate PDP
-PDP --> AuthS: 200 OK, json body {"result": {"allow": true, ...}}
+PDP --> AS: 200 OK, json body {"result": {"allow": true, ...}}
 deactivate PDP
-AuthS -> AuthS: issue Access and Refresh token with DPoP Binding
-AuthS --> Client: 200 OK, Access token, Refresh token, bound to DPoP
-deactivate AuthS
+AS -> AS: issue Access and Refresh token with DPoP Binding
+AS --> Client: 200 OK, Access token, Refresh token, bound to DPoP
+deactivate AS
 Client -> Client: Create DPoP Proof for RS
 
 Client -> HP: GET /resource (Access token, DPoP Proof)