Create infrastructure overview

[auvin]

Create a figure which describes all needed components and the communication between them in the eid authentication process (like the figure on this page: https://www.bsi.bund.de/EN/Topics/ElectrIDDocuments/German-eID/eID-Infrastructure/eID-Infrastructure_node.html). Add the swp-component to the figure and adjust the communication. As we currently can't describe the whole process, the figure should be work in progress and adjusted if necessary.

[auvin]

First try with oAuth (example) and the results of the discussions last week. Maybe a flow chart would be the better option. Here is the link, if you want to edit it: eID-Infrastructure

1. Request resource
2. GET resource
3. HTTP 302 authorization request
4. GET authorization request
5. Redirection to eID-client if the client is running
6. Focus eID-client
7. Input authorization (apply eID-card)
8. Some communication with eID-server? I don't know.
9. Redirection
10. POST Confirmation and authorization
11. HTTP 302 Authorization code
12. Authorization code
13. POST authorization code and redirection URL
14. Access token and optional refresh token
15. GET resource with access token
16. HTTP 200 resource
17. HTTP 200 resource
18. Display resource

[larissazech]

These are the results of yesterday's discussion. We decided to switch from an organization chart to a flow chart. We will discuss this version today and publish the final version to the wiki afterwards.

For editing, please download this .txt-file and change its extension to .xml manually (can't upload xml here). FlowChart.txt Then, go to draw.io and upload the xml-file.

[larissazech]

Update:

Tried to make it more obvious which message belongs to which standard.

FlowChart_update.txt

[larissazech]

OpenID Connect

Considering only the OpenID Connect Process, this is how the communication protocol is specified in the official spec (OpenID Connect Core 1.0): 1.The RP (Client) sends a request to the OpenID Provider (OP). 2.The OP authenticates the End-User and obtains authorization. 3.The OP responds with an ID Token and usually an Access Token. 4.The RP can send a request with the Access Token to the UserInfo Endpoint. 5.The UserInfo Endpoint returns Claims about the End-User.

Based on the above flow chart, this is what I assume our OpenID Connect Process looks like:

We should discuss if this discrepancy is tolerable.

OpenID_Connect.txt

[janles]

I reviewed the sequence diagram in respect of the following two papers from yesterday: TR-eID-Server and Heise: OpenID Connect: Login mit OAuth, Teil 1 – Grundlagen

• I think that in our case the RP is the KVV and not the Browser.
• Heise wrote the following:

Nach Abschluss der Authentifizierung stellt der Autorisierungsserver der Anwendung (wie bei OAuth üblich) einen Autorisierungs-Code aus. Dieser wird über den User Agent via HTTP Redirect an den Mediendienst gesendet.

I guess the browser (if the browser is really needed) will transport the information from OP to RP (KVV), only. So, (4) Access Token of your picture should point from "Browser" to "KVV", too.

We should present the second sequence diagram, today.

[larissazech]

Updated the flow chart by adding the eID "Ausweis" as new entity. Layout suffered a little. FlowChart.pdf FlowChart.txt

And the updated OpenID Connect scheme as discussed yesterday: OpenID_Connect.txt

I consider this the final versions so far and am going to add it to the wiki.

[larissazech]

Added it the wiki (see Software Architecture). Closed.