diff --git a/src/plantuml/TI-Messenger-Dienst/Ressourcen/TI-Messenger_OIDC_login.puml b/src/plantuml/TI-Messenger-Dienst/Ressourcen/TI-Messenger_OIDC_login.puml index 4bae2164..459bd0c9 100644 --- a/src/plantuml/TI-Messenger-Dienst/Ressourcen/TI-Messenger_OIDC_login.puml +++ b/src/plantuml/TI-Messenger-Dienst/Ressourcen/TI-Messenger_OIDC_login.puml @@ -31,7 +31,6 @@ autonumber "(0)" actor us as "Versicherter" box Endgerät #WhiteSmoke participant app as "TI-M Client\n(Browser)" - participant au as "Authenticator\ndes sektoralen IDP" end box box TI-Messenger Service #WhiteSmoke participant pr as "TI-M Proxy" @@ -47,17 +46,17 @@ us -> app: starte App activate app app -> mc: Lade Matrix-Web-Client activate mc - mc --> app: Webanwendung + mc --> app --: Webanwendung group OIDC Login - app -> hs: GET https://client.homeserver-tim.de/_matrix/client/v3/login - hs --> app: 200 OK ""{"flows":[{"type":"m.login.sso","identity_providers":[""\n\ + app -> hs ++: GET https://client.homeserver-tim.de/_matrix/client/v3/login + hs --> app --: 200 OK ""{"flows":[{"type":"m.login.sso","identity_providers":[""\n\ ""{"id":"sektoraler-idp","name":"Sektoraler-IDP","icon":"mxc://..","brand":"sektoraler-idp"},""\n\ ""{"type":"m.login.token"}]}"" ||| opt #LightYellow Registration - app -> hs: POST https://client.homeserver-tim.de/_matrix/client/v3/register\n\ + app -> hs ++: POST https://client.homeserver-tim.de/_matrix/client/v3/register\n\ ""{"initial_device_display_name":"TIM-Web-App: Firefox auf Windows","refresh_token":true}"" - hs --> app: 401 Unauthorized ""{"session":"...","flows":[""\n\ + hs --> app --: 401 Unauthorized ""{"session":"...","flows":[""\n\ ""{"stages":["m.login.recaptcha","m.login.terms","m.login.email.identity"]}],""\n\ """params":{"m.login.recaptcha":{"public_key":"..."},""\n\ """m.login.terms":{"policies":{"privacy_policy":{"version":"1.0","en":{"name":"Terms and Conditions",""\n\ @@ -65,11 +64,11 @@ activate app ||| end 'opt ||| - app -> hs: GET https://client.homeserver-tim.de/_matrix/client/v3/login/sso/redirect/sektoraler-idp + app -> hs++: GET https://client.homeserver-tim.de/_matrix/client/v3/login/sso/redirect/sektoraler-idp ||| group #MistyRose Changed behavior because OIDC PAR is required - hs --> pr: 302 Redirect\n\ - ""location: https://sektoraler-idp.de/login/oauth?""\n\ + hs --> pr --++: 302 Redirect\n\ + ""location: https://sektoraler-idp.de/login/oauth?""\n\ ""response_type=code&""\n\ ""client_id=example-client-id&""\n\ ""redirect_uri=https%3A%2F%2Fclient.homeserver-tim.de%2F_synapse%2Fclient%2Foidc%2Fcallback&""\n\ @@ -78,63 +77,62 @@ activate app ""code_challenge=...&code_challenge_method=S256""\n\ ""set-cookie: ...=...; ...""\n\ ""..."" + ||| - pr -> idp: POST https://sektoraler-idp.de/par\n\ + pr -> idp ++: POST https://sektoraler-idp.de/par\n\ ""Content-Type: application/x-www-form-urlencoded""\n\ ""response_type=code&client_id=example-client-id&state=example-state&""\n\ ""redirect_uri=https%3A%2F%2Fclient.homeserver-tim.de%2F_synapse%2Fclient%2Foidc%2Fcallback""\n\ ""&code_challenge=...&code_challenge_method=S256&""\n\ ""scope=openid+urn:telematik:display_name+urn:telematik:given_name+urn:telematik:versicherter&"" - activate idp - idp --> pr: 200 OK\n\ + + idp --> pr --: 200 OK\n\ ""Content-Type: application/json""\n\ ""{"request_uri":"urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2","expires_in": 90}"" ||| - pr --> app: 302 Redirect\n\ - ""location: https://sektoraler-idp.de/login/oauth/authorize? _""\n\ + pr --> app --: 302 Redirect\n\ + ""location: https://sektoraler-idp.de/login/oauth/authorize? ""\n\ ""request_uri=urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2"" ||| end 'group ||| group #LightBlue IDP authentication - app -> idp: GET https://sektoraler-idp.de/login/oauth/authorize?request_uri=urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 + app -> idp ++: GET https://sektoraler-idp.de/login/oauth/authorize?request_uri=urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 ||| group #DarkGray Black box with example idp --> app: Challenge - activate au app -> us: Consent Page us --> app: Approval app -> idp: Response - deactivate au + ||| end 'group ||| - idp --> app: 302 Redirect ""location: https://client.homeserver-tim.de/_synapse/client/oidc/callback?code=example-auth-code&state=example-state"" - deactivate idp + idp --> app --: 302 Redirect ""location: https://client.homeserver-tim.de/_synapse/client/oidc/callback?code=example-auth-code&state=example-state"" ||| end 'group ||| - app -> hs: GET https://client.homeserver-tim.de/_synapse/client/oidc/callback?code=example-auth-code&state=example-state\n\ + app -> hs ++: GET https://client.homeserver-tim.de/_synapse/client/oidc/callback?code=example-auth-code&state=example-state\n\ ""Cookie: ...=..."" ||| - hs -> idp: POST https://sektoraler-idp.de/token-endpoint\n\ + hs -> idp ++: POST https://sektoraler-idp.de/token-endpoint\n\ ""Content-Type: application/x-www-form-urlencoded""\n\ ""authorization_code=code&code_verifier=..."" - idp --> hs: 200 OK\n\ + idp --> hs --: 200 OK\n\ ""Content-Type: application/json""\n\ ""{"id_token":"...","expires_in": 90}"" ||| - hs --> app: 200 OK HTML Consent Page, Zugriff TIM-Web-App auf Matrix Account\n\ + hs --> app --: 200 OK HTML Consent Page, Zugriff TIM-Web-App auf Matrix Account\n\ ""Continue"" ||| - app -> mc: GET https://TIM-Web-App/?loginToken=example-matrix-login-token - mc --> app: 200 OK HTML ""..."" + app -> mc ++: GET https://TIM-Web-App/?loginToken=example-matrix-login-token + mc --> app--: 200 OK HTML ""..."" ||| - app -> hs: POST https://client.homeserver-tim.de/_matrix/client/v3/login\n\ + app -> hs ++: POST https://client.homeserver-tim.de/_matrix/client/v3/login\n\ ""{"token":"example-matrix-login-token",""\n\ """initial_device_display_name":"TIM-Web-App: Firefox on macOS",""\n\ """type":"m.login.token"}"" - hs --> app: 200 OK\n\ + hs --> app --: 200 OK\n\ ""{"user_id":"@username:homeserver-tim.de",""\n\ """access_token":"example-matrix-access-token",""\n\ """home_server":"homeserver-tim.de",""\n\ @@ -142,4 +140,5 @@ activate app """well_known":{"m.homeserver":{"base_url":"https://client.homeserver-tim.de/"}}}"" ||| end 'group + app --> us: Login successful @enduml