Closed auvin closed 7 years ago
First try with oAuth (example) and the results of the discussions last week. Maybe a flow chart would be the better option. Here is the link, if you want to edit it: eID-Infrastructure
These are the results of yesterday's discussion. We decided to switch from an organization chart to a flow chart. We will discuss this version today and publish the final version to the wiki afterwards.
For editing, please download this .txt-file and change its extension to .xml manually (can't upload xml here). FlowChart.txt Then, go to draw.io and upload the xml-file.
Considering only the OpenID Connect Process, this is how the communication protocol is specified in the official spec (OpenID Connect Core 1.0): 1.The RP (Client) sends a request to the OpenID Provider (OP). 2.The OP authenticates the End-User and obtains authorization. 3.The OP responds with an ID Token and usually an Access Token. 4.The RP can send a request with the Access Token to the UserInfo Endpoint. 5.The UserInfo Endpoint returns Claims about the End-User.
Based on the above flow chart, this is what I assume our OpenID Connect Process looks like:
We should discuss if this discrepancy is tolerable.
I reviewed the sequence diagram in respect of the following two papers from yesterday: TR-eID-Server and Heise: OpenID Connect: Login mit OAuth, Teil 1 – Grundlagen
Nach Abschluss der Authentifizierung stellt der Autorisierungsserver der Anwendung (wie bei OAuth üblich) einen Autorisierungs-Code aus. Dieser wird über den User Agent via HTTP Redirect an den Mediendienst gesendet.
I guess the browser (if the browser is really needed) will transport the information from OP to RP (KVV), only. So, (4) Access Token of your picture should point from "Browser" to "KVV", too.
We should present the second sequence diagram, today.
Updated the flow chart by adding the eID "Ausweis" as new entity. Layout suffered a little. FlowChart.pdf FlowChart.txt
And the updated OpenID Connect scheme as discussed yesterday: OpenID_Connect.txt
I consider this the final versions so far and am going to add it to the wiki.
Added it the wiki (see Software Architecture). Closed.
Create a figure which describes all needed components and the communication between them in the eid authentication process (like the figure on this page: https://www.bsi.bund.de/EN/Topics/ElectrIDDocuments/German-eID/eID-Infrastructure/eID-Infrastructure_node.html). Add the swp-component to the figure and adjust the communication. As we currently can't describe the whole process, the figure should be work in progress and adjusted if necessary.