IDPSameAsRP-CallsPublicLocalKeyHelper.txt

title IdP same as RP, calls a public Local Key Helper

autonumber 1
participant "Relying Party" as W
participant "IdP" as I
participant "Browser" as B
participant "Local Key Helper" as P
participant "AttestationService" as A

note over W, A: Sign in...
W->>B: Start sign in (302) \n\nSec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2], HelperCacheTime

B->>B: currentHelperId = \nEvaluate policy for (IdP, [HelperId1, HelperId2,...])
B->>P: Pre-gen key and \nattest (RPUrl, IDPUrl, challenge=nonce, extratParams...)

P->>P: Generate Key

P->>A: Get Binding Statement \n (publicKey, AIK, challenge=nonce)
A->>P: Return binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
P->>B: KeyId, \nReturn binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
B->>B: Remember this key is for RP (and maybe path)
B->>I: Load sign-in \nSec-Session-Keys: KeyId, \nBinding statement \n{ nonce,  thumbprint(publicKey), extraClaims... }
I->>I: validate signature \non the binding statement and nonce, \nstore thumbprint

I->>B: Sign in ceremony
B->>I: Sign done

I->>W: API(Auth tokens with thumbprint, KeyId)

note over W, A: Initiate DBSC ...
W->>B: 200 OK \nSec-Session-Registration: \npath, RPChallenge, token?, KeyId, extraParams
B->>P: Request Sign JWT (uri, challenge, token?, keyId?, **extraParams...**)
P->>B: Return JWT Signature
B->>W: POST /securesession/startsession (JWT, tokens)
W->>W: Validate JWT, \n(w/ match thumbprint in the tokens)
W->>B: AuthCookie

note over W, A: Refresh DBSC...
B->>W: GET /securesession/refresh (sessionID)
W->>B: Challenge, **extraParams...**
B->>P: Request Sign JWT (sessionID, **extraParams...**)
P->>B: Return JWT Signature
B->>W: GET /securesession/refresh (JWT)
W->>W: Validate JWT (w/public key on file)
W->>B: AuthCookie