IDPCallsPublicLocalKeyHelper.txt

title IdP calls a public Local Key Helper

autonumber 1
participant "Relying Party" as W
participant "IdP" as I
participant "Browser" as B
participant "Local Key Helper" as P
participant "AttestationService" as A

note over W, A: Sign in...
W->>B: Start sign in (302)
B->>I: Load sign-in (follow the 302)

I->>B: Sec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2], HelperCacheTime
B->>B: currentHelperId = \nEvaluate policy for (IdP, [HelperId1, HelperId2,...])
B->>P: Pre-gen key and \nattest (RPUrl, IDPUrl, \nchallenge=nonce, extraParams...)

P->>P: Generate Key

P->>A: Get Binding Statement \n(publicKey, AIK, challenge=nonce)
A->>P: Return binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
P->>B: KeyId, \nReturn binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
B->>B: Remember this key is for RP (and maybe path)
B->>I: Sec-Session-Keys: KeyId, \nBinding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
I->>I: validate signature on the binding statement \n& nonce, store thumbprint

I->>B: Sign in ceremony
B->>I: Sign done

I->>B: Auth tokens (with thumbprint), \nKeyId
B->>W: Auth tokens (with thumbprint), \nKeyId

note over W, A: Initiate DBSC ...
W->>B: StartSession \n(challenge=nonce, token?, KeyId?, **extraParams...**)
B->>P: Request Sign JWT \n(uri, challenge=nonce,\n token?, keyId?, **extraParams...**)
P->>B: Return JWT Signature
B->>W: POST /securesession/startsession (JWT, tokens)
W->>W: Validate JWT, \n(w/ match thumbprint \nin the tokens)
W->>B: AuthCookie

note over W, A: Refresh DBSC...
B->>W: GET /securesession/refresh (sessionID)
W->>B: Challenge, **extraParams...**
B->>P: Request Sign JWT (sessionID, **extraParams...**)
P->>B: Return JWT Signature
B->>W: GET /securesession/refresh (JWT)
W->>W: Validate JWT \n(w/public key on file)
W->>B: AuthCookie