-
Notifications
You must be signed in to change notification settings - Fork 75
Super Gluu AuthN
Yuriy Movchan edited this page Oct 3, 2024
·
6 revisions
title Super Gluu One Step flow with FIDO
actor Person
participant RP
participant Auth Server
participant DB
participant Device Keystore
participant Super Gluu
participant Auth Script
participant Fido2 Server
RP->Auth Server: Request authorization with acr=super_gluu
Auth Script->DB: Check if there are enrollment for app
Auth Script->Auth Script: Generate QR code with {'app': 'client_redirect_uri', 'issuer': 'fido2_issuer', 'state': 'session_id', 'created': 'iso_date_time'}
alt Super Gluu part
Person->Super Gluu: Start App
Super Gluu<->Auth Script: Scan QR cosde
alt attestation flow
Super Gluu->Fido2 Server: Start enrollmet with parameters: application, session_id
Fido2 Server->Super Gluu: Check response status and parse response
Super Gluu->Device Keystore: Generate key
Super Gluu->Fido2 Server: Finish enrollment with parameters: tokenResponse
Fido2 Server->Fido2 Server: Store unfinished (not associated with user) attestation entry with expiration 120 seconds
Fido2 Server-> Super Gluu: Check response status and challenge
else assertion flow
Super Gluu->Fido2 Server: Start assertion with parameters: keyhandle, application, session_id
Fido2 Server->Super Gluu: Check response status and parse response
Super Gluu->Device Keystore: Load private key
Super Gluu->Fido2 Server: Finish assertion with parameters: tokenResponse
Fido2 Server-> Super Gluu: Check response status and challenge
end
Fido2 Server->DB: Update session specified in session_id. Set session parameters: session_custom_state (approved/declined), super_gluu_u2f_device_id, super_gluu_u2f_device_dn, super_gluu_u2f_device_user_inum, super_gluu_u2f_device_enroll, super_gluu_u2f_device_one_step
end
alt Check session data periodically
Auth Script<->DB: Check session session_custom_state state
alt registartion flow
Auth Script<->Auth Script: Validate or register user/pasword
Auth Script<->Auth Server: Associated unfinished attestation entry with user
Auth Script<->Auth Server: Finish registration if session_custom_state is approved and other session parameters are valid
else authentication flow
Auth Script<->Auth Server: Find user by keyhandle and do him authentication
Auth Script<->Auth Server: Finish authentication if session_custom_state is approved and other session parameters are valid
end
Auth Script<->Auth Server: Reset flow step if session timeout
Auth Server->RP:code
end
/start endpoint
* - request:
* username: null
* application: https://yurem-emerging-pig.gluu.info/identity/authcode.htm
* session_id: a5183b05-dbe0-4173-a794-2334bb864708
* enrollment_code: null
* - response:
* {"authenticateRequests":[],"registerRequests":[{"challenge":"GU4usvpYfvQ_RCMSqm819gTZMa0qCeLr1Xg2KbvW2To"
* "appId":"https://yurem-emerging-pig.gluu.info/identity/authcode.htm","version":"U2F_V2"}]}
/finish endpoint
* - request:
* username: null
* tokenResponse: {"registrationData":"BQQTkZFzsbTmuUoS_DS_jqpWRbZHp_J0YV8q4Xb4XTPYbIuvu-TRNubp8U-CKZuB
* 5tDT-l6R3sQvNc6wXjGCmL-OQK-ACAQk_whIvElk4Sfk-YLMY32TKs6jHagng7iv8U78_5K-RTTbNo-k29nb6F4HLpbYcU81xefh
* SNSlrAP3USwwggImMIIBzKADAgECAoGBAPMsD5b5G58AphKuKWl4Yz27sbE_rXFy7nPRqtJ_r4E5DSZbFvfyuos-Db0095ubB0Jo
* yM8ccmSO_eZQ6IekOLPKCR7yC5kes-f7MaxyaphmmD4dEvmuKjF-fRsQP5tQG7zerToto8eIz0XjPaupiZxQXtSHGHHTuPhri2nf
* oZlrMAoGCCqGSM49BAMCMFwxIDAeBgNVBAMTF0dsdXUgb3hQdXNoMiBVMkYgdjEuMC4wMQ0wCwYDVQQKEwRHbHV1MQ8wDQYDVQQH
* EwZBdXN0aW4xCzAJBgNVBAgTAlRYMQswCQYDVQQGEwJVUzAeFw0xNjAzMDExODU5NDZaFw0xOTAzMDExODU5NDZaMFwxIDAeBgNV
* BAMTF0dsdXUgb3hQdXNoMiBVMkYgdjEuMC4wMQ0wCwYDVQQKEwRHbHV1MQ8wDQYDVQQHEwZBdXN0aW4xCzAJBgNVBAgTAlRYMQsw
* CQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABICUKnzCE5PJ7tihiKkYu6E5Uy_sZ-RSqs_MnUJt0tB8G8GSg9nK
* o6P2424iV9lXX9Pil8qw4ofZ-fAXXepbp4MwCgYIKoZIzj0EAwIDSAAwRQIgUWwawAB2udURWQziDXVjSOi_QcuXiRxylqj5thFw
* FhYCIQCGY-CTZFi7JdkhZ05nDpbSYJBTOo1Etckh7k0qcvnO0TBFAiEA1v1jKTwGn5LRRGSab1kNdgEqD6qL08bougoJUNY1A5MC
* IGvtBFSNzhGvhQmdYYj5-XOd5P4ucVk6TmkV1Xu73Dvj","clientData":"eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5y
* b2xsbWVudCIsImNoYWxsZW5nZSI6IkdVNHVzdnBZZnZRX1JDTVNxbTgxOWdUWk1hMHFDZUxyMVhnMktidlcyVG8iLCJvcmlnaW4i
* OiJodHRwczpcL1wveXVyZW0tZW1lcmdpbmctcGlnLmdsdXUuaW5mbyJ9","deviceData":"eyJuYW1lIjoiU00tRzk5MUIiLCJv
* c19uYW1lIjoidGlyYW1pc3UiLCJvc192ZXJzaW9uIjoiMTMiLCJwbGF0Zm9ybSI6ImFuZHJvaWQiLCJwdXNoX3Rva2VuIjoicHVz
* aF90b2tlbiIsInR5cGUiOiJub3JtYWwiLCJ1dWlkIjoidXVpZCJ9"}
* - response:
* {"status":"success","challenge":"GU4usvpYfvQ_RCMSqm819gTZMa0qCeLr1Xg2KbvW2To"}
/start endpoint
* - request:
* username: null
* keyhandle: r4AIBCT_CEi8SWThJ-T5gsxjfZMqzqMdqCeDuK_xTvz_kr5FNNs2j6Tb2dvoXgculthxTzXF5-FI1KWsA_dRLA
* application: https://yurem-emerging-pig.gluu.info/identity/authcode.htm
* session_id: 2994e597-3dc9-4d96-ae7e-84cfcf049db6
* - response:
* {"authenticateRequests":[{"challenge":"EELAH05XTUfPHrvpqVYhXB8pEmOMaRWY9mBurdhicBU",
* "appId":"https://yurem-emerging-pig.gluu.info/identity/authcode.htm",
* "keyHandle":"r4AIBCT_CEi8SWThJ-T5gsxjfZMqzqMdqCeDuK_xTvz_kr5FNNs2j6Tb2dvoXgculthxTzXF5-FI1KWsA_dRLA","version":"U2F_V2"}]}
/finish endpoint
* - request:
* username: null
* tokenResponse: {"signatureData":"AQAAAAEwRQIhANrCm98JCTz6cqSZ_vwGHdF9uqe3b4z1nCrNIPCObwc-AiAblGdWyky
* LeaTJPzLtbWHMoN9MsKUlgmbfSRsINJEVeA","clientData":"eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY
* 2hhbGxlbmdlIjoiRUVMQUgwNVhUVWZQSHJ2cHFWWWhYQjhwRW1PTWFSV1k5bUJ1cmRoaWNCVSIsIm9yaWdpbiI6Imh0dHBzOlwvX
* C95dXJlbS1lbWVyZ2luZy1waWcuZ2x1dS5pbmZvXC9pZGVudGl0eVwvYXV0aGNvZGUuaHRtIn0","keyHandle":"r4AIBCT_CEi
* 8SWThJ-T5gsxjfZMqzqMdqCeDuK_xTvz_kr5FNNs2j6Tb2dvoXgculthxTzXF5-FI1KWsA_dRLA"}
* - response:
* {"status":"success","challenge":"EELAH05XTUfPHrvpqVYhXB8pEmOMaRWY9mBurdhicBU"}
title Super Gluu Two Step flow with FIDO
actor Person
participant RP
participant DB
participant Auth Server
participant Device Keystore
participant Super Gluu
participant Auth Script
participant Fido2 Server
RP->Auth Server: Request authorization with acr=super_gluu
Auth Server->Auth Script: Validate user/pasword
Auth Script->DB: Check if there are enrollment for app
alt authentication flow if user has enrolled devices
Auth Script->Auth Script: Generate QR code with {'username': 'user_id', 'app': 'client_redirect_uri', 'issuer': 'fido2_issuer', 'method': 'authenticate', 'state': 'session_id', 'created': 'iso_date_time'}
Auth Script->Auth Script: Send push message to all enrolled devices with QR code data
else enrollment flow
Auth Script->Auth Script: Generate QR code with {'username': 'user_id', 'app': 'client_redirect_uri', 'issuer': 'fido2_issuer', 'method': 'enroll', 'state': 'session_id', 'created': 'iso_date_time'}
end
alt Super Gluu part
Person->Super Gluu: Start App
Super Gluu<->Auth Script: Scan QR cosde / Get Push message
alt attestation flow
Super Gluu->Fido2 Server: Start enrollmet with parameters: username, application, session_id, enrollment_code (optional)
Fido2 Server->Super Gluu: Check respnse status and parse response
Super Gluu->Device Keystore: Generate key
Super Gluu->Fido2 Server: Finish enrollment with parameters: username, tokenResponse
Fido2 Server-> Super Gluu: Check response status and challenge
else assertion flow
Super Gluu->Fido2 Server: Start assertion with parameters: username, application, session_id
Fido2 Server->Super Gluu: Check response status and parse response
Super Gluu->Device Keystore: Load private key
Super Gluu->Fido2 Server: Finish assertion with parameters: username, tokenResponse
Fido2 Server-> Super Gluu: Check response status and challenge
end
Fido2 Server->DB: Update session specified in session_id. Set session parameters: session_custom_state (approved/declined), super_gluu_u2f_device_id, super_gluu_u2f_device_dn, super_gluu_u2f_device_user_inum, super_gluu_u2f_device_enroll, super_gluu_u2f_device_one_step
end
alt Check session data periodically
Auth Script<->DB: Check session session_custom_state state
Auth Script<->Auth Server: Finish authentication if session_custom_state is approved and other session parameters are valid
Auth Script<->Auth Server: Reset flow step if session timeout
Auth Server->RP:code
end
/start endpoint
* - request:
* username: test1
* application: https://yurem-emerging-pig.gluu.info/identity/authcode.htm
* session_id: 46c30db8-0339-4459-8ee7-e4960ad75986
* enrollment_code: null
* - response:
* {"authenticateRequests":[],"registerRequests":[{"challenge":"raPfmqZOHlHF4gXbprd29uwX-bs3Ff5v03quxBD4FkM",
* "appId":"https://yurem-emerging-pig.gluu.info/identity/authcode.htm","version":"U2F_V2"}]}
/finish endpoint
* - request:
* username: test1
* tokenResponse: {"registrationData":"BQToXkGAjgXxC4g1NiA-IuRAu40NFBlXXNSu4TEZqGK5TBqwU07ANn4LJ9Hp3aV5
* PIvCDVsQ2tZJf1xD6LosZNDuQGCb1g_Z-NHiLqyJybzylKMaSs65XlDFoLvcN7_zVAbuwYhgHJYJB_2YPPP0-cukYe_Ipk8U4dHY
* 1hWBuI8ToscwggImMIIBzKADAgECAoGBAPMsD5b5G58AphKuKWl4Yz27sbE_rXFy7nPRqtJ_r4E5DSZbFvfyuos-Db0095ubB0Jo
* yM8ccmSO_eZQ6IekOLPKCR7yC5kes-f7MaxyaphmmD4dEvmuKjF-fRsQP5tQG7zerToto8eIz0XjPaupiZxQXtSHGHHTuPhri2nf
* oZlrMAoGCCqGSM49BAMCMFwxIDAeBgNVBAMTF0dsdXUgb3hQdXNoMiBVMkYgdjEuMC4wMQ0wCwYDVQQKEwRHbHV1MQ8wDQYDVQQH
* EwZBdXN0aW4xCzAJBgNVBAgTAlRYMQswCQYDVQQGEwJVUzAeFw0xNjAzMDExODU5NDZaFw0xOTAzMDExODU5NDZaMFwxIDAeBgNV
* BAMTF0dsdXUgb3hQdXNoMiBVMkYgdjEuMC4wMQ0wCwYDVQQKEwRHbHV1MQ8wDQYDVQQHEwZBdXN0aW4xCzAJBgNVBAgTAlRYMQsw
* CQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABICUKnzCE5PJ7tihiKkYu6E5Uy_sZ-RSqs_MnUJt0tB8G8GSg9nK
* o6P2424iV9lXX9Pil8qw4ofZ-fAXXepbp4MwCgYIKoZIzj0EAwIDSAAwRQIgUWwawAB2udURWQziDXVjSOi_QcuXiRxylqj5thFw
* FhYCIQCGY-CTZFi7JdkhZ05nDpbSYJBTOo1Etckh7k0qcvnO0TBFAiArOYmHd22USw7flCmGXLOXVOrhDi-pkX7Qx_c8oz5hJQIh
* AOslo3LfymoFWT6mxUZjBlxKgxioozd0KmzUwobRcKdW","clientData":"eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5y
* b2xsbWVudCIsImNoYWxsZW5nZSI6InJhUGZtcVpPSGxIRjRnWGJwcmQyOXV3WC1iczNGZjV2MDNxdXhCRDRGa00iLCJvcmlnaW4i
* OiJodHRwczpcL1wveXVyZW0tZW1lcmdpbmctcGlnLmdsdXUuaW5mbyJ9","deviceData":"eyJuYW1lIjoiU00tRzk5MUIiLCJv
* c19uYW1lIjoidGlyYW1pc3UiLCJvc192ZXJzaW9uIjoiMTMiLCJwbGF0Zm9ybSI6ImFuZHJvaWQiLCJwdXNoX3Rva2VuIjoicHVz
* aF90b2tlbiIsInR5cGUiOiJub3JtYWwiLCJ1dWlkIjoidXVpZCJ9"}
* - response:
* {"status":"success","challenge":"raPfmqZOHlHF4gXbprd29uwX-bs3Ff5v03quxBD4FkM"}
/start endpoint
* - request:
* username: test1
* keyhandle: null
* application: https://yurem-emerging-pig.gluu.info/identity/authcode.htm
* session_id: 850ff665-02b6-435b-baf8-b018b13043c3
* - response:
* {"authenticateRequests":[{"challenge":"5QoRtudmej5trcrMRgFBoI5rZ6pzIZiYP3u3bXCvvAE",
* "appId":"https://yurem-emerging-pig.gluu.info/identity/authcode.htm",
* "keyHandle":"YJvWD9n40eIurInJvPKUoxpKzrleUMWgu9w3v_NUBu7BiGAclgkH_Zg88_T5y6Rh78imTxTh0djWFYG4jxOixw","version":"U2F_V2"
/finish endpoint
* - request:
* username: test1
* tokenResponse: {"signatureData":"AQAAAAEwRgIhAN4auE9-U2YDhi8ByxIIv3G2hvDeFjEGU_x5SvfcIQyUAiEA4I_xMin
* mYAmH5qk5KMaYATFAryIpoVwARGvEFQTWE2Q","clientData":"eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwi
* Y2hhbGxlbmdlIjoiNVFvUnR1ZG1lajV0cmNyTVJnRkJvSTVyWjZweklaaVlQM3UzYlhDdnZBRSIsIm9yaWdpbiI6Imh0dHBzOlwv
* XC95dXJlbS1lbWVyZ2luZy1waWcuZ2x1dS5pbmZvXC9pZGVudGl0eVwvYXV0aGNvZGUuaHRtIn0","keyHandle":"YJvWD9n40e
* IurInJvPKUoxpKzrleUMWgu9w3v_NUBu7BiGAclgkH_Zg88_T5y6Rh78imTxTh0djWFYG4jxOixw","deviceData":"eyJuYW1l
* IjoiU00tRzk5MUIiLCJvc19uYW1lIjoidGlyYW1pc3UiLCJvc192ZXJzaW9uIjoiMTMiLCJwbGF0Zm9ybSI6ImFuZHJvaWQiLCJw
* dXNoX3Rva2VuIjoicHVzaF90b2tlbiIsInR5cGUiOiJub3JtYWwiLCJ1dWlkIjoidXVpZCJ9"}
* - response:
* {"status":"success","challenge":"5QoRtudmej5trcrMRgFBoI5rZ6pzIZiYP3u3bXCvvAE"}