Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| title Device registration | ||
|
|
||
| autonumber 1 | ||
| participant "Device registration client" as D | ||
| participant "Attestation service" as A | ||
|
|
||
| note over D, A: Provisioning ... | ||
| D->>A: Register device (DeviceKey, AIK for KG, AIK for TPM, AIK for Software) | ||
| A->>D: 200 OK | ||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| title IdP calls a private Local Key Helper | ||
|
|
||
| autonumber 1 | ||
| participant "Relying Party" as W | ||
| participant "IdP" as I | ||
| participant "Browser" as B | ||
| participant "Local Key Helper" as P | ||
|
|
||
| note over W, P: IdP life... | ||
| B->>I: Any request | ||
| I->>B: Any response\nSec-Session-HelperIdList: [HelperId1, HelperId2], HelperCacheTime | ||
| B->>B: Cache HelperId for IDPURL for HelperCacheTime | ||
|
|
||
| note over W, P: Sign in... | ||
| W->>B: Start sign in (302)\nSec-Session-Registration: path, RPChallenge,... \nSec-Session-GenerateKey: RPURL, IDPURL, extraParams | ||
| B->>B: Check for cached HelperId for IDPURL | ||
|
|
||
| alt Cached HelperId present (99.99% cases) | ||
|
|
||
| B->>B: currentHelperId = Evaluate policy for (IdP, [HelperId1, HelperId2...]) | ||
|
|
||
| B->>P: Pre-gen key and attest (RPURL, IDPURL, extraParams...) | ||
|
|
||
| P->>P: Generate Key | ||
|
|
||
| loop For each device | ||
| P->>P: create binding statement S(publicKey, AIK) | ||
| end | ||
|
|
||
| P->>B: Return: KeyId, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}] | ||
| B->>B: Remember this key is for RP (and maybe path) | ||
|
|
||
| B->>I: Load sign-in (follow the 302)\n\nx-ms-RefreshTokenCredential1{nonce}\nx-ms-DeviceCredential1{nonce}\nx-ms-RefreshTokenCredential2{nonce}\nx-ms-DeviceCredential2{nonce} ...\n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}] | ||
|
|
||
| opt nonce is stale | ||
| I->>B: 302 to IdP with qs parameter sso_nonce=new_nonce\nSec-Session-GenerateKey: RPURL, IDPURL, extraParams | ||
| B->>I: Load sign-in\n\nx-ms-RefreshTokenCredential1{new_nonce}\nx-ms-DeviceCredential1{new_nonce}\nx-ms-RefreshTokenCredential2{new_nonce}\nx-ms-DeviceCredential2{new_nonce} ...\n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}] | ||
| end | ||
|
|
||
| else No cached HelperId present | ||
|
|
||
|
|
||
| B->>I: Load sign-in (follow the 302)\n\nx-ms-RefreshTokenCredential1{nonce}\nx-ms-DeviceCredential1{nonce}\nx-ms-RefreshTokenCredential2{nonce}\nx-ms-DeviceCredential2{nonce} ... \n\nSec-Session-HelperDiscoveryNeeded: RPURL, IDPURL, extraParams | ||
|
|
||
| note over I, B: No binding info present, but the reequest has GenerratKey, so IdP issues helper id list | ||
|
|
||
| I->>B: 302 to IdP with qs parameter sso_nonce=new_nonce\n\nSec-Session-GenerateKey: RPURL, IDPURL, extraParams\nSec-Session-HelperIdList: [HelperId1, HelperId2], HelperCacheTime | ||
| B->>B: Cache HelperId for IDPURL for HelperCacheTime | ||
|
|
||
| B->>B: currentHelperId = Evaluate policy for (IdP, [HelperId1]) | ||
| B->>P: Pre-gen key and attest (RPURL, IDPURL, extraParams...) | ||
|
|
||
| P->>P: Generate Key | ||
|
|
||
| loop For each device | ||
| P->>P: create binding statement S(publicKey, AIK) | ||
| end | ||
|
|
||
| P->>B: Return: KeyId, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}] | ||
| B->>B: Remember this key is for RP (and maybe path) | ||
|
|
||
| B->>I: Load sign-in\n\nx-ms-RefreshTokenCredential1{new_nonce}\nx-ms-DeviceCredential1{new_nonce}\n x-ms-RefreshTokenCredential2{new_nonce}\n x-ms-DeviceCredential2{new_nonce} ... \n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}] | ||
|
|
||
|
|
||
| end | ||
|
|
||
| opt SSO information is not sufficient | ||
| I->>B: Sign in ceremony | ||
| B->>I: Sign done | ||
| end | ||
|
|
||
| I->>B: Authorization code, KeyId | ||
|
|
||
|
|
||
| note over W, B: Since DBSC session has been initialized already for RP, browser needs to generate JWT on redirect back | ||
| B->>P: Request Sign JWT (path, RPChallenge, extraParams) | ||
| P->>B: Return JWT Signature | ||
| note over W, B: JWT is appended by the browser before returning the response from IDP back to the RP | ||
| B->>W: Authorization code, KeyId, JWT | ||
| W->>I: (confidential client request) redeem authorization code | ||
| I->>W: (confidential client response) return id_token | ||
| W->>W: parse id_token and validate binding, match with the JWT from the previous | ||
| W->>B: Bound AuthCookie | ||
|
|
||
| note over W, P: Refresh DBSC... | ||
| B->>W: GET /securesession/refresh (sessionID) | ||
| W->>B: Challenge, **extraParams** | ||
| B->>P: Request Sign JWT (sessionID, RPChallenge, **extraParams**) | ||
| P->>B: Return JWT Signature | ||
| B->>W: GET /securesession/refresh (JWT) | ||
| W->>W: Validate JWT (w/public key on file) | ||
| W->>B: AuthCookie |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| title IdP calls a public Local Key Helper | ||
|
|
||
| autonumber 1 | ||
| participant "Relying Party" as W | ||
| participant "IdP" as I | ||
| participant "Browser" as B | ||
| participant "Local Key Helper" as P | ||
| participant "AttestationService" as A | ||
|
|
||
| note over W, A: Sign in... | ||
| W->>B: Start sign in (302) | ||
| B->>I: Load sign-in (follow the 302) | ||
|
|
||
| I->>B: Sec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2], HelperCacheTime | ||
| B->>B: currentHelperId = \nEvaluate policy for (IdP, [HelperId1, HelperId2,...]) | ||
| B->>P: Pre-gen key and \nattest (RPUrl, IDPUrl, \nchallenge=nonce, extraParams...) | ||
|
|
||
| P->>P: Generate Key | ||
|
|
||
| P->>A: Get Binding Statement \n(publicKey, AIK, challenge=nonce) | ||
| A->>P: Return binding statement \n{ nonce, thumbprint(publicKey), extraClaims... } | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong. |
||
| P->>B: KeyId, \nReturn binding statement \n{ nonce, thumbprint(publicKey), extraClaims... } | ||
| B->>B: Remember this key is for RP (and maybe path) | ||
| B->>I: Sec-Session-Keys: KeyId, \nBinding statement \n{ nonce, thumbprint(publicKey), extraClaims... } | ||
| I->>I: validate signature on the binding statement \n& nonce, store thumbprint | ||
|
|
||
| I->>B: Sign in ceremony | ||
| B->>I: Sign done | ||
|
|
||
| I->>B: Auth tokens (with thumbprint), \nKeyId | ||
| B->>W: Auth tokens (with thumbprint), \nKeyId | ||
|
|
||
| note over W, A: Initiate DBSC ... | ||
| W->>B: StartSession \n(challenge=nonce, token?, KeyId?, **extraParams...**) | ||
| B->>P: Request Sign JWT \n(uri, challenge=nonce,\n token?, keyId?, **extraParams...**) | ||
| P->>B: Return JWT Signature | ||
| B->>W: POST /securesession/startsession (JWT, tokens) | ||
| W->>W: Validate JWT, \n(w/ match thumbprint \nin the tokens) | ||
| W->>B: AuthCookie | ||
|
|
||
| note over W, A: Refresh DBSC... | ||
| B->>W: GET /securesession/refresh (sessionID) | ||
| W->>B: Challenge, **extraParams...** | ||
| B->>P: Request Sign JWT (sessionID, **extraParams...**) | ||
| P->>B: Return JWT Signature | ||
| B->>W: GET /securesession/refresh (JWT) | ||
| W->>W: Validate JWT \n(w/public key on file) | ||
| W->>B: AuthCookie | ||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| title IdP same as RP, calls a public Local Key Helper | ||
|
|
||
| autonumber 1 | ||
| participant "Relying Party" as W | ||
| participant "IdP" as I | ||
| participant "Browser" as B | ||
| participant "Local Key Helper" as P | ||
| participant "AttestationService" as A | ||
|
|
||
| note over W, A: Sign in... | ||
| W->>B: Start sign in (302) \n\nSec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2], HelperCacheTime | ||
|
|
||
| B->>B: currentHelperId = \nEvaluate policy for (IdP, [HelperId1, HelperId2,...]) | ||
| B->>P: Pre-gen key and \nattest (RPUrl, IDPUrl, challenge=nonce, extratParams...) | ||
|
|
||
| P->>P: Generate Key | ||
|
|
||
| P->>A: Get Binding Statement \n (publicKey, AIK, challenge=nonce) | ||
| A->>P: Return binding statement \n{ nonce, thumbprint(publicKey), extraClaims... } | ||
| P->>B: KeyId, \nReturn binding statement \n{ nonce, thumbprint(publicKey), extraClaims... } | ||
| B->>B: Remember this key is for RP (and maybe path) | ||
| B->>I: Load sign-in \nSec-Session-Keys: KeyId, \nBinding statement \n{ nonce, thumbprint(publicKey), extraClaims... } | ||
| I->>I: validate signature \non the binding statement and nonce, \nstore thumbprint | ||
|
|
||
| I->>B: Sign in ceremony | ||
| B->>I: Sign done | ||
|
|
||
| I->>W: API(Auth tokens with thumbprint, KeyId) | ||
|
|
||
| note over W, A: Initiate DBSC ... | ||
| W->>B: 200 OK \nSec-Session-Registration: \npath, RPChallenge, token?, KeyId, extraParams | ||
| B->>P: Request Sign JWT (uri, challenge, token?, keyId?, **extraParams...**) | ||
| P->>B: Return JWT Signature | ||
| B->>W: POST /securesession/startsession (JWT, tokens) | ||
| W->>W: Validate JWT, \n(w/ match thumbprint in the tokens) | ||
| W->>B: AuthCookie | ||
|
|
||
| note over W, A: Refresh DBSC... | ||
| B->>W: GET /securesession/refresh (sessionID) | ||
| W->>B: Challenge, **extraParams...** | ||
| B->>P: Request Sign JWT (sessionID, **extraParams...**) | ||
| P->>B: Return JWT Signature | ||
| B->>W: GET /securesession/refresh (JWT) | ||
| W->>W: Validate JWT (w/public key on file) | ||
| W->>B: AuthCookie |
Oops, something went wrong.
I'm not familiar with this terminology. Is a "thumbprint" just a synonym for a key "fingerprint", or does it mean something else?