Closed gboege closed 4 years ago
adding @gboege's visual great visual explanation too:
https://docs.google.com/document/d/1U0kcHuqVapm8_S4El-a9vgzAWbt8PypiN95zlKYpoXw
Please note the following for the attached demo XACML Request:
Important:
closed by #39
A) Incoming requests: 1) We have already extracted the header-Header from the message and you have all enclosed data at hand. 2) We have extracted and validated the DAPS JWT -> New: We have to compare the issuer ID from the header-Header with the issuer from the DAPS JWT
3) We already have the Verb and Path from the request
4) New: We now need to extract and secret-validate the data from the Authorization JWT. (Secret must be configured, Domain and AppID now come from the Authorization JWT
5) Update the XACML request (I will create a temp -> with shortest exp Date
Outgoing Reponse: The response does not need an Authorization token The header-Object Header should be created and attached as it is now, until the next version.
B) Outgoing requests (Notifications): The header-Object Header should be created and attached as it is now, until the next version. No Generation/Attachment of an Authorization header (might be already added by Orion)
Incoming Response: 1) We have already extracted the header-Header from the message and you have all enclosed data at hand. 2) We have extracted and validated the DAPS JWT -> We have to compare the issuer from the header-Header with the issuer from the DAPS JWT