forked from w3c/webappsec-dbsc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathIDPCallsPrivateLocalKeyHelper.txt
92 lines (64 loc) · 4.21 KB
/
IDPCallsPrivateLocalKeyHelper.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
title IdP calls a private Local Key Helper
autonumber 1
participant "Relying Party" as W
participant "IdP" as I
participant "Browser" as B
participant "Local Key Helper" as P
note over W, P: IdP life...
B->>I: Any request
I->>B: Any response\nSec-Session-HelperIdList: [HelperId1, HelperId2], HelperCacheTime
B->>B: Cache HelperId for IDPURL for HelperCacheTime
note over W, P: Sign in...
W->>B: Start sign in (302)\nSec-Session-Registration: path, RPChallenge,... \nSec-Session-GenerateKey: RPURL, IDPURL, extraParams
B->>B: Check for cached HelperId for IDPURL
alt Cached HelperId present (99.99% cases)
B->>B: currentHelperId = Evaluate policy for (IdP, [HelperId1, HelperId2...])
B->>P: Pre-gen key and attest (RPURL, IDPURL, extraParams...)
P->>P: Generate Key
loop For each device
P->>P: create binding statement S(publicKey, AIK)
end
P->>B: Return: KeyId, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
B->>B: Remember this key is for RP (and maybe path)
B->>I: Load sign-in (follow the 302)\n\nx-ms-RefreshTokenCredential1{nonce}\nx-ms-DeviceCredential1{nonce}\nx-ms-RefreshTokenCredential2{nonce}\nx-ms-DeviceCredential2{nonce} ...\n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
opt nonce is stale
I->>B: 302 to IdP with qs parameter sso_nonce=new_nonce\nSec-Session-GenerateKey: RPURL, IDPURL, extraParams
B->>I: Load sign-in\n\nx-ms-RefreshTokenCredential1{new_nonce}\nx-ms-DeviceCredential1{new_nonce}\nx-ms-RefreshTokenCredential2{new_nonce}\nx-ms-DeviceCredential2{new_nonce} ...\n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
end
else No cached HelperId present
B->>I: Load sign-in (follow the 302)\n\nx-ms-RefreshTokenCredential1{nonce}\nx-ms-DeviceCredential1{nonce}\nx-ms-RefreshTokenCredential2{nonce}\nx-ms-DeviceCredential2{nonce} ... \n\nSec-Session-HelperDiscoveryNeeded: RPURL, IDPURL, extraParams
note over I, B: No binding info present, but the reequest has GenerratKey, so IdP issues helper id list
I->>B: 302 to IdP with qs parameter sso_nonce=new_nonce\n\nSec-Session-GenerateKey: RPURL, IDPURL, extraParams\nSec-Session-HelperIdList: [HelperId1, HelperId2], HelperCacheTime
B->>B: Cache HelperId for IDPURL for HelperCacheTime
B->>B: currentHelperId = Evaluate policy for (IdP, [HelperId1])
B->>P: Pre-gen key and attest (RPURL, IDPURL, extraParams...)
P->>P: Generate Key
loop For each device
P->>P: create binding statement S(publicKey, AIK)
end
P->>B: Return: KeyId, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
B->>B: Remember this key is for RP (and maybe path)
B->>I: Load sign-in\n\nx-ms-RefreshTokenCredential1{new_nonce}\nx-ms-DeviceCredential1{new_nonce}\n x-ms-RefreshTokenCredential2{new_nonce}\n x-ms-DeviceCredential2{new_nonce} ... \n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
end
opt SSO information is not sufficient
I->>B: Sign in ceremony
B->>I: Sign done
end
I->>B: Authorization code, KeyId
note over W, B: Since DBSC session has been initialized already for RP, browser needs to generate JWT on redirect back
B->>P: Request Sign JWT (path, RPChallenge, extraParams)
P->>B: Return JWT Signature
note over W, B: JWT is appended by the browser before returning the response from IDP back to the RP
B->>W: Authorization code, KeyId, JWT
W->>I: (confidential client request) redeem authorization code
I->>W: (confidential client response) return id_token
W->>W: parse id_token and validate binding, match with the JWT from the previous
W->>B: Bound AuthCookie
note over W, P: Refresh DBSC...
B->>W: GET /securesession/refresh (sessionID)
W->>B: Challenge, **extraParams**
B->>P: Request Sign JWT (sessionID, RPChallenge, **extraParams**)
P->>B: Return JWT Signature
B->>W: GET /securesession/refresh (JWT)
W->>W: Validate JWT (w/public key on file)
W->>B: AuthCookie