Skip to content

Commit

Permalink
changed details and labels
Browse files Browse the repository at this point in the history
  • Loading branch information
@ofegem
ofegem committed Feb 28, 2024
1 parent 7e16add commit 0f6596c
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 34 deletions.
2 changes: 1 addition & 1 deletion src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv.puml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ activate app
|||
app -> hs++: GET https://client.homeserver-tim.de/_matrix/client/v3/login/sso/redirect/sektoraler-idp
|||
group #MistyRose <size:16>Changed behavior because OIDC PAR is required</size>
group #Linen <size:16>Changed behavior because OIDC PAR is required</size>
hs --> pr --++: 302 Redirect\n\
""location: https://sektoraler-idp.de/login/oauth?""\n\
""response_type=code&""\n\
Expand Down
74 changes: 41 additions & 33 deletions src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv_simplified.puml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
@startuml "TI-Messenger_OIDC_Login"
@startuml "TI-Messenger_OIDC_Login_simplified"
skinparam sequenceMessageAlign direction
skinparam WrapWidth 300
skinparam minClassWidth 150
skinparam BoxPadding 1
skinparam ParticipantPadding 50
skinparam sequenceReferenceHeaderBackgroundColor palegreen
scale max 2048 width
skinparam maxMessageSize 400

skinparam sequence {
ArrowColor black
Expand All @@ -28,15 +29,15 @@ ActorFontSize 20

autonumber

actor us as "Versicherter"
actor us as "Akteur in der\nRolle Versicherter"
box <size:19>Endgerät</size> #WhiteSmoke
participant app as "TI-M Client\n(Browser)"
end box
box <size:19>TI-Messenger Service</size> #WhiteSmoke
participant pr as "TI-M Proxy"
participant hs as "Matrix\nHomeserver\n(Relying party für IDP)"
end box
participant mc as "Webserver\nliefert\nTIM-Web-App aus"
participant mc as "Webserver"
participant idp as "Sektoraler\nIDP"

|||
Expand All @@ -48,70 +49,77 @@ activate app
activate mc
mc --> app --: Webanwendung
group <size:16>OIDC Login</size>
app -> hs ++: GET {homeserver_client_api_url}/login
app -> hs ++: GET ""{homeserver_client_api_url}""/login
hs --> app --: 200 OK :Login Types
note right
enthalten: ID des sektoralen IDP: ""{sidp}""
end note
|||
opt #LightYellow <size:16>Registration</size>
app -> hs ++: POST {homeserver_client_api_url}/register (initial_device_display_name, refresh_token)
opt #LightYellow <size:16>Auswahl durch Akteur: Registrierungs- statt Login-Funktion</size>
app -> hs ++: POST ""{homeserver_client_api_url}""/register (initial_device_display_name, refresh_token)
hs --> app --: 401 Unauthorized
note right
Homeserver benötigt zusätzliche Authentisierungsinformationen
end note
|||
end 'opt
end
|||
app -> hs++: GET {homeserver_client_api_url}/login/sso/redirect/{sidp}
app -> hs++: GET ""{homeserver_client_api_url}""/login/sso/redirect/""{sidp}""
|||
group #MistyRose <size:16>Changed behavior because OIDC PAR is required</size>
group #Linen <size:16>Verhaltensänderung, da der sektorale IDP OIDC PAR erfordert</size>
hs --> pr --++: 302 Redirect :location, :response_type, :client_id, :redirect_uri, :scope, :state, :code_challenge
|||
pr -> idp ++: POST {sektoraler_idp_url}/par (response_type, redirect_uri, code_challenge, scope)
pr -> idp ++: POST ""{sektoraler_idp_url}""/par (response_type, redirect_uri, code_challenge, scope)

idp --> pr --: 200 OK :request_uri
|||
pr --> app --: 302 Redirect {sektoraler_idp_url}/login/oauth/authorize (request_uri)
pr --> app --: 302 Redirect ""{sektoraler_idp_url}""/login/oauth/authorize (request_uri)
|||
end 'group
end
|||
group #LightBlue <size:16>IDP authentication</size>
app -> idp ++: GET {sektoraler_idp_url}/login/oauth/authorize (request_uri)
group #LightBlue <size:16>IDP Authentisierung</size>
app -> idp ++: GET ""{sektoraler_idp_url}""/login/oauth/authorize (request_uri)
|||
group #DarkGray <size:16>Black box with example</size>
group #DarkGray <size:16>IDP Challenge-Response</size>
idp --> app: Challenge
app -> us: Consent Page
us --> app: Approval
app -> idp: Response

|||
end 'group
end
|||
idp --> app --: 302 Redirect {redirect_uri} :auth_code, :state
|||
end 'group
end
|||
app -> hs ++: GET {redirect_uri} (auth_code, state)
app -> hs ++: GET ""{redirect_uri}"" (auth_code, state)
|||
hs -> idp ++: POST {sektoraler_idp_url}/token-endpoint (auth_code, code_verifier)
hs -> idp ++: POST ""{sektoraler_idp_url}""/token-endpoint (auth_code, code_verifier)
idp --> hs --: 200 OK :id_token
opt #LightYellow <size:16>kein passender Benutzer-Account zum id_token vorhanden</size>
hs -> hs: /register (initial_device_display_name, refresh_token, id_token)
note left
Benutzer-Account anlegen
end note
|||

hs --> app --: 200 OK HTML Consent Page, Zugriff TIM-Web-App auf Matrix Account\n\
<font color=red>""<a href="https://TIM-Web-App/?loginToken=example-matrix-login-token" class="primary-button">Continue</a>""</font>


end
|||
app -> mc ++: GET <font color=red>https://TIM-Web-App/?loginToken=example-matrix-login-token</font>
mc --> app--: 200 OK <font color=red>HTML ""...""</font>
hs --> app --: 200 OK :loginToken
note right
HTML Consent Page, Zugriff
TIM-Web-App auf Matrix Account
end note
|||

app -> hs ++: POST {homeserver_client_api_url}/login (matrix-login-token, initial_device_display_name)

app -> mc ++: GET ""{client_url}"" (loginToken)
mc --> app--: 200 OK
note right
personalisierte HTML-
Seite für den Client
end note
|||
app -> hs ++: POST ""{homeserver_client_api_url}""/login (loginToken, initial_device_display_name)
hs --> app --: 200 OK :user_id, :access_token, :home_server, :device_id, :well_known

|||
end 'group
app --> us: Login successful
end
app --> us: Login erfolgreich
@enduml

0 comments on commit 0f6596c

Please sign in to comment.