diff --git a/src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv.puml b/src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv.puml index deffeba1..497b767c 100644 --- a/src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv.puml +++ b/src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv.puml @@ -66,7 +66,7 @@ activate app ||| app -> hs++: GET https://client.homeserver-tim.de/_matrix/client/v3/login/sso/redirect/sektoraler-idp ||| - group #MistyRose Changed behavior because OIDC PAR is required + group #Linen Changed behavior because OIDC PAR is required hs --> pr --++: 302 Redirect\n\ ""location: https://sektoraler-idp.de/login/oauth?""\n\ ""response_type=code&""\n\ diff --git a/src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv_simplified.puml b/src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv_simplified.puml index 720bf5bf..ac9853a4 100644 --- a/src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv_simplified.puml +++ b/src/plantuml/TI-M_ePA/TI-Messenger_OIDC_login_fdv_simplified.puml @@ -1,4 +1,4 @@ -@startuml "TI-Messenger_OIDC_Login" +@startuml "TI-Messenger_OIDC_Login_simplified" skinparam sequenceMessageAlign direction skinparam WrapWidth 300 skinparam minClassWidth 150 @@ -6,6 +6,7 @@ skinparam BoxPadding 1 skinparam ParticipantPadding 50 skinparam sequenceReferenceHeaderBackgroundColor palegreen scale max 2048 width +skinparam maxMessageSize 400 skinparam sequence { ArrowColor black @@ -28,7 +29,7 @@ ActorFontSize 20 autonumber -actor us as "Versicherter" +actor us as "Akteur in der\nRolle Versicherter" box Endgerät #WhiteSmoke participant app as "TI-M Client\n(Browser)" end box @@ -36,7 +37,7 @@ box TI-Messenger Service #WhiteSmoke participant pr as "TI-M Proxy" participant hs as "Matrix\nHomeserver\n(Relying party für IDP)" end box -participant mc as "Webserver\nliefert\nTIM-Web-App aus" +participant mc as "Webserver" participant idp as "Sektoraler\nIDP" ||| @@ -48,70 +49,77 @@ activate app activate mc mc --> app --: Webanwendung group OIDC Login - app -> hs ++: GET {homeserver_client_api_url}/login + app -> hs ++: GET ""{homeserver_client_api_url}""/login hs --> app --: 200 OK :Login Types note right enthalten: ID des sektoralen IDP: ""{sidp}"" end note ||| - opt #LightYellow Registration - app -> hs ++: POST {homeserver_client_api_url}/register (initial_device_display_name, refresh_token) + opt #LightYellow Auswahl durch Akteur: Registrierungs- statt Login-Funktion + app -> hs ++: POST ""{homeserver_client_api_url}""/register (initial_device_display_name, refresh_token) hs --> app --: 401 Unauthorized note right Homeserver benötigt zusätzliche Authentisierungsinformationen end note ||| - end 'opt + end ||| - app -> hs++: GET {homeserver_client_api_url}/login/sso/redirect/{sidp} + app -> hs++: GET ""{homeserver_client_api_url}""/login/sso/redirect/""{sidp}"" ||| - group #MistyRose Changed behavior because OIDC PAR is required + group #Linen Verhaltensänderung, da der sektorale IDP OIDC PAR erfordert hs --> pr --++: 302 Redirect :location, :response_type, :client_id, :redirect_uri, :scope, :state, :code_challenge ||| - pr -> idp ++: POST {sektoraler_idp_url}/par (response_type, redirect_uri, code_challenge, scope) + pr -> idp ++: POST ""{sektoraler_idp_url}""/par (response_type, redirect_uri, code_challenge, scope) idp --> pr --: 200 OK :request_uri ||| - pr --> app --: 302 Redirect {sektoraler_idp_url}/login/oauth/authorize (request_uri) + pr --> app --: 302 Redirect ""{sektoraler_idp_url}""/login/oauth/authorize (request_uri) ||| - end 'group + end ||| - group #LightBlue IDP authentication - app -> idp ++: GET {sektoraler_idp_url}/login/oauth/authorize (request_uri) + group #LightBlue IDP Authentisierung + app -> idp ++: GET ""{sektoraler_idp_url}""/login/oauth/authorize (request_uri) ||| - group #DarkGray Black box with example + group #DarkGray IDP Challenge-Response idp --> app: Challenge app -> us: Consent Page us --> app: Approval app -> idp: Response - ||| - end 'group + end ||| idp --> app --: 302 Redirect {redirect_uri} :auth_code, :state ||| - end 'group + end ||| - app -> hs ++: GET {redirect_uri} (auth_code, state) + app -> hs ++: GET ""{redirect_uri}"" (auth_code, state) ||| - hs -> idp ++: POST {sektoraler_idp_url}/token-endpoint (auth_code, code_verifier) + hs -> idp ++: POST ""{sektoraler_idp_url}""/token-endpoint (auth_code, code_verifier) idp --> hs --: 200 OK :id_token + opt #LightYellow kein passender Benutzer-Account zum id_token vorhanden + hs -> hs: /register (initial_device_display_name, refresh_token, id_token) + note left + Benutzer-Account anlegen + end note ||| - - hs --> app --: 200 OK HTML Consent Page, Zugriff TIM-Web-App auf Matrix Account\n\ - ""Continue"" - - + end ||| - app -> mc ++: GET https://TIM-Web-App/?loginToken=example-matrix-login-token - mc --> app--: 200 OK HTML ""..."" + hs --> app --: 200 OK :loginToken + note right + HTML Consent Page, Zugriff + TIM-Web-App auf Matrix Account + end note ||| - - app -> hs ++: POST {homeserver_client_api_url}/login (matrix-login-token, initial_device_display_name) - + app -> mc ++: GET ""{client_url}"" (loginToken) + mc --> app--: 200 OK + note right + personalisierte HTML- + Seite für den Client + end note + ||| + app -> hs ++: POST ""{homeserver_client_api_url}""/login (loginToken, initial_device_display_name) hs --> app --: 200 OK :user_id, :access_token, :home_server, :device_id, :well_known - ||| - end 'group - app --> us: Login successful + end + app --> us: Login erfolgreich @enduml