Create TI-Messenger_OIDC_login.puml

gematik · Nov 13, 2023 · f89a233 · f89a233
1 parent 963e612
commit f89a233
Showing 1 changed file with 139 additions and 0 deletions.
diff --git a/src/plantuml/TI-Messenger-Dienst/Ressourcen/TI-Messenger_OIDC_login.puml b/src/plantuml/TI-Messenger-Dienst/Ressourcen/TI-Messenger_OIDC_login.puml
@@ -0,0 +1,139 @@
+@startuml "TI-Messenger_OIDC_Login"
+skinparam sequenceMessageAlign direction
+skinparam WrapWidth 300
+skinparam minClassWidth 150
+skinparam BoxPadding 1
+skinparam ParticipantPadding 50
+skinparam sequenceReferenceHeaderBackgroundColor palegreen
+scale max 2048 width
+
+skinparam sequence {
+ArrowColor black
+ArrowFontSize 17
+ActorBorderColor black
+LifeLineBorderColor black
+LifeLineBackgroundColor Gainsboro
+
+ParticipantBorderColor Motivation
+ParticipantBackgroundColor Motivation
+ParticipantFontSize 20
+ParticipantFontColor black
+ParticipantBorderColor Black
+ParticipantBackgroundColor MOTIVATION
+
+ActorBackgroundColor Gainsboro
+ActorFontColor black
+ActorFontSize 20
+}
+
+autonumber "<b>(0)"
+
+actor us as "Versicherter"
+  box <size:19>Endgerät</size> #WhiteSmoke
+  participant app as "Matrix-Web-App\n(Browser)"
+  participant au as "Authenticator\ndes sektoralen IDP"
+  end box
+participant pr as "TI-M Proxy"
+participant hs as "Matrix\nHomeserver\n(Relying party für IDP)"
+participant mc as "Webserver der die\nMatrix-Web-App ausliefert\n(Relying party für Homeserver)"
+participant idp as "Sektoraler IDP"
+
+|||
+
+us -> app: starte App 
+
+activate app
+  app -> mc: Lade Matrix-Web-Client
+  activate mc
+  mc --> app: Webanwendung
+  group #LightGray <size:16>Matrix Protocol ... (Guest Account, Key exchange etc)</size>
+    app -> hs:""GET https://homeserver-tim.de/.well-known/matrix/client""
+    activate hs
+    hs --> app: 200 OK ...
+    |||
+    hnote over app : ...
+    |||
+    app -> hs: GET https://matrix-client.homeserver-tim.de/_matrix/client/v3/sync?filter={}&timeout=0&...
+    hs --> app: 200 OK ""{...}""
+    |||
+  end 'group
+  group <size:16>OIDC Login</size>
+    app -> hs: GET https://matrix-client.homeserver-tim.de/_matrix/client/v3/login
+    hs --> app: 200 OK ""{"flows":[{"type":"m.login.sso","identity_providers":[""\n\
+    ""{"id":"oidc-sektoraler-idp","name":"Sektoraler-IDP","icon":"mxc://homeserver-tim.de/nsyeLIgzxazZmJadflMAsAWG","brand":"sektoraler-idp"},""\n\
+    ""{"type":"m.login.token"},{"type":"m.login.password"},{"type":"m.login.application_service"}]}""
+    |||
+    opt #LightYellow Registration
+    app -> hs: POST https://matrix-client.homeserver-tim.de/_matrix/client/v3/register\n\
+    ""{"initial_device_display_name":"Matrix-Web-App: Firefox auf Windows"}""
+    hs --> app: 401 Unauthorized ""{"session":"iTUHUlcVwyEGhPSwjaharBoI","flows":[""\n\
+    ""{"stages":["m.login.recaptcha","m.login.terms","m.login.email.identity"]}],""\n\
+    """params":{"m.login.recaptcha":{"public_key":"6LcgI54UAAAAABGdGmruw6DdOocFpYVdjYBRe4zb"},""\n\
+    """m.login.terms":{"policies":{"privacy_policy":{"version":"1.0","en":{"name":"Terms and Conditions",""\n\
+    """url":"https://matrix-client.homeserver-tim.de/_matrix/consent?v=1.0"}}}}}}""
+    |||
+    end 'opt
+    app -> hs: GET https://matrix-client.homeserver-tim.de/_matrix/client/v3/login/sso/redirect/oidc-sektoraler-idp
+    hs --> pr: 302 Redirect ""location:	https://sektoraler-idp.de/dialog/oauth?response_type=code&""\n\
+    ""client_id=270006787810904&redirect_uri=https%3A%2F%2Fmatrix-client.homeserver-tim.de%2F_synapse%2Fclient%2Foidc%2Fcallback&""\n\
+    ""scope=openid+email&state=ub8idYKc01s8LluOssFIuN3QQzZEoB&nonce=kL3jhzhuSdACVZjkN0B17FebXgqHoi""\n\
+    ""set-cookie: oidc_session=...; Max-Age=3600; Path=_synapse/client/oidc; HttpOnly; Secure; SameSite=None""\n\
+    ""set-cookie: oidc_session_no_samesite=...; Max-Age=3600; Path=/_synapse/client/oidc; HttpOnly""\n\
+    ""synapse-trace-id:	747f9ec899abf541""
+    activate pr
+    note over pr: "Changed response because IDP needs OIDC PAR"
+    pr --> app: 200 OK JSON ""{"location":"https://sektoraler-idp.de/dialog/oauth","parameter":{"response_type":"code","cient_id":"270006787810904",""\n\
+    """redirect_uri":"https://matrix-client.homeserver-tim.de/_synapse/client/oidc/callback&""\n\
+    ""scope=openid+email&state=ub8idYKc01s8LluOssFIuN3QQzZEoB&nonce=kL3jhzhuSdACVZjkN0B17FebXgqHoi",""\n\
+    """set-cookie":{"oidc_session":"...; Max-Age=3600; Path=_synapse/client/oidc; HttpOnly; Secure; SameSite=None",""\n\
+    """oidc_session_no_samesite":"...; Max-Age=3600; Path=/_synapse/client/oidc; HttpOnly"},"synapse-trace-id":"747f9ec899abf541"}}""
+    deactivate pr
+    |||
+    group #LightBlue <size:16>IDP authentication</size>
+      app -> idp: [wird geändert in PAR] GET	https://sektoraler-idp.de/login/oauth/authorize?response_type=code&client_id=f318c77b32dea5117eb3&\n\
+      redirect_uri=https://matrix-client.homeserver-tim.de/_synapse/client/oidc/callback&\n\
+      scope=read:user&state=2Mp3IrxFVlRIRzZrwZjOTyQ60OSF31&nonce=tTheFW69KwzKxYrCnoBPoxrevBuMjb
+      activate idp
+      idp --> app: [wird geändert in PAR response] 302 Redirect ""location: https://sektoraler-idp.de/login?client_id=f318c77b32dea5117eb3&return_to=%2Flogin%2Foauth%2Fauthorize%3F""\n\
+	    ""client_id%3Df318c77b32dea5117eb3%26nonce%3DtTheFW69KwzKxYrCnoBPoxrevBuMjb%26redirect_uri%3Dhttps%253A%252F%252Fmatrix-client.homeserver-tim.de%252F""\n\
+	    ""_synapse%252Fclient%252Foidc%252Fcallback%26response_type%3Dcode%26scope%3Dread%253Auser%26state%3D2Mp3IrxFVlRIRzZrwZjOTyQ60OSF31""\n\
+      ""set-cookie:	_gh_sess=...; path=/; secure; HttpOnly; SameSite=Lax""\n\
+      ""x-github-request-id: 5D12:2A7A:51BB0D3:52DA7BE:6540C256""
+      |||
+      app -> idp: GET https://sektoraler-idp.de/login/oauth/authorize\n\
+      ""Cookie: _gh_sess=...; dotcom_user=username""
+      group #DarkGray <size:16>Black box with example</size>
+        idp --> app: Challenge
+        activate au
+        app -> us: Consent Page
+        us --> app: Approval
+        app --> idp: Response
+      deactivate au
+      |||
+      end ' group
+      |||
+      idp --> app: 200 OK HTML ""... <meta http-equiv="refresh" content="0;url=https://matrix-client.homeserver-tim.de/_synapse/client/oidc/callback?code=ac45be5243787b8845f6&amp;""\n\
+      ""state=2Mp3IrxFVlRIRzZrwZjOTyQ60OSF31\" data-url=\"https://matrix-client.homeserver-tim.de/_synapse/client/oidc/callback?code=ac45be5243787b8845f6&amp;""\n\
+      ""state=2Mp3IrxFVlRIRzZrwZjOTyQ60OSF31\"""
+      deactivate idp
+    end 'group
+    app -> hs: GET https://matrix-client.homeserver-tim.de/_synapse/client/oidc/callback?code=ac45be5243787b8845f6&state=2Mp3IrxFVlRIRzZrwZjOTyQ60OSF31
+    hs --> app: 200 OK HTML Consent Page, Zugriff Matrix-Web-App auf Matrix Account\n\
+    ""<a href="https://Matrix-Web-App/?loginToken=syl_RatSwLyrYlyDtjBrRpXH_1Yh7Or" class="primary-button">Continue</a>""
+    |||
+    app -> mc: GET https://Matrix-Web-App/?loginToken=syl_RatSwLyrYlyDtjBrRpXH_1Yh7Or
+    mc --> app: 200 OK HTML ""...""
+    |||
+    app -> hs: POST https://matrix-client.homeserver-tim.de/_matrix/client/v3/login\n\
+    ""{"token":"syl_RatSwLyrYlyDtjBrRpXH_1Yh7Or",""\n\
+    """initial_device_display_name":"Matrix-Web-App: Firefox on macOS",""\n\
+    """type":"m.login.token"}""
+    hs --> app: 200 OK\n\
+    ""{"user_id":"@username:homeserver-tim.de",""\n\
+    """access_token":"syt_amVuc19naXRodWI_TmVpdQKDakCBEtvgRBGf_33sesF",""\n\
+    """home_server":"homeserver-tim.de",""\n\
+    """device_id":"UGPCVMQKCG",""\n\
+    """well_known":{"m.homeserver":{"base_url":"https://matrix-client.homeserver-tim.de/"}}}""
+
+  end 'group
+@enduml