From 34aa461eb06497fbd6ec502cae275196baf2f0ae Mon Sep 17 00:00:00 2001 From: gem-cp Date: Thu, 12 Dec 2024 16:47:17 +0100 Subject: [PATCH] Enhance PlantUML diagram with detailed request parameters and update DPoP token generation; add OpenTelemetry example JSON for tracing --- src/examples/tmp/open_telemetry_example.json | 113 ++++++++++++++++++ ...ive_client_attestation_oidc_and_oauth.puml | 11 +- 2 files changed, 119 insertions(+), 5 deletions(-) create mode 100644 src/examples/tmp/open_telemetry_example.json diff --git a/src/examples/tmp/open_telemetry_example.json b/src/examples/tmp/open_telemetry_example.json new file mode 100644 index 0000000..2dc0c82 --- /dev/null +++ b/src/examples/tmp/open_telemetry_example.json @@ -0,0 +1,113 @@ +[ + { + "traceId": "4bf92f3577b34da6a3ce929d0e0e4736", + "spanId": "00f067aa0ba902b7", + "parentSpanId": null, + "name": "HTTP GET /api/users", + "kind": "SERVER", + "startTimeUnixNano": "1678886400000000000", + "endTimeUnixNano": "1678886400150000000", + "attributes": { + "http.method": "GET", + "http.url": "https://api.example.com/api/users", + "http.target": "/api/users", + "http.host": "api.example.com", + "http.scheme": "https", + "http.status_code": 200, + "http.response_content_length": "1234", + "net.peer.ip": "192.168.1.10", + "net.peer.port": "443" + }, + "status": { + "code": "OK" + } + }, + { + "traceId": "4bf92f3577b34da6a3ce929d0e0e4736", + "spanId": "74755584d576b4d9", + "parentSpanId": "00f067aa0ba902b7", + "name": "HTTP GET /api/users/123", + "kind": "CLIENT", + "startTimeUnixNano": "1678886400050000000", + "endTimeUnixNano": "1678886400100000000", + "attributes": { + "http.method": "GET", + "http.url": "https://internal-api/api/users/123", + "http.target": "/api/users/123", + "http.host": "internal-api", + "http.scheme": "https", + "http.status_code": 200, + "http.response_content_length": "256", + "net.peer.ip": "10.0.0.5", + "net.peer.port": "8080" + }, + "status": { + "code": "OK" + } + }, + { + "traceId": "8a3c60f7d4dff4d6b2f9f8e7d8d7c8f7", + "spanId": "245fa4b9655567cd", + "parentSpanId": null, + "name": "HTTP POST /api/orders", + "kind": "SERVER", + "startTimeUnixNano": "1678886401000000000", + "endTimeUnixNano": "1678886401500000000", + "attributes": { + "http.method": "POST", + "http.url": "https://api.example.com/api/orders", + "http.target": "/api/orders", + "http.host": "api.example.com", + "http.scheme": "https", + "http.status_code": 201, + "http.request_content_length": "567", + "net.peer.ip": "192.168.1.20", + "net.peer.port": "443" + }, + "status": { + "code": "OK" + } + }, + { + "traceId": "8a3c60f7d4dff4d6b2f9f8e7d8d7c8f7", + "spanId": "195ee4b965556711", + "parentSpanId": "245fa4b9655567cd", + "name": "database.query", + "kind": "CLIENT", + "startTimeUnixNano": "1678886401100000000", + "endTimeUnixNano": "1678886401400000000", + "attributes": { + "db.system": "postgresql", + "db.statement": "INSERT INTO orders (user_id, product_id) VALUES ($1, $2)", + "net.peer.ip": "10.0.0.10", + "net.peer.port": "5432" + }, + "status": { + "code": "OK" + } + }, + { + "traceId": "f4a7b8c9d0e1f23456789abcdef01234", + "spanId": "c3d4e5f6a7b89012", + "parentSpanId": null, + "name": "HTTP GET /api/products/99", + "kind": "SERVER", + "startTimeUnixNano": "1678886402000000000", + "endTimeUnixNano": "1678886402200000000", + "attributes": { + "http.method": "GET", + "http.url": "https://api.example.com/api/products/99", + "http.target": "/api/products/99", + "http.host": "api.example.com", + "http.scheme": "https", + "http.status_code": 404, + "http.response_content_length": "42", + "net.peer.ip": "192.168.1.30", + "net.peer.port": "443" + }, + "status": { + "code": "ERROR", + "message": "Not Found" + } + } + ] \ No newline at end of file diff --git a/src/plantuml/tmp/native_client_attestation_oidc_and_oauth.puml b/src/plantuml/tmp/native_client_attestation_oidc_and_oauth.puml index 83125da..4677e10 100644 --- a/src/plantuml/tmp/native_client_attestation_oidc_and_oauth.puml +++ b/src/plantuml/tmp/native_client_attestation_oidc_and_oauth.puml @@ -103,7 +103,7 @@ deactivate ASA Client -> Client: Generate PKCE\nCode Verifier Client -> Client: Generate PKCE\nCode Challenge Client -> Client: Generate DPoP Key Pair -Client -> ASA: PAR Request +Client -> ASA: PAR Request\n(client_id, redirect_uri, scope, etc., dpop_jkt) activate ASA note right: Authorization Code Request\n(inkl. DPoP Proof, code_challenge, code_challenge_method, redirect_uri) ASA -> ASA: Validate DPoP Proof @@ -133,22 +133,23 @@ deactivate IDP UserAgent -> Client: Redirect with Authorization Code deactivate UserAgent +Client -> Client: Generate\nDPoP Proof JWT Client -> ASA: Token Request (Authorization Code Grant) note right: Enthält Authorization Code, DPoP Proof,\nclient_id, redirect_uri, code_verifier -ASA -> ASA: Validate Client\nAssertion (JWT) +ASA -> ASA: Validate\nAuthorization Code ASA -> ASA: Validate DPoP Proof ASA -> ASA: Validate PKCE\nCode Verifier -ASA -> PEA: Request Token\nIssuance Decision +ASA -> PEA: Request Token Issuance Decision activate PEA note right: AS A sends input data to Policy Engine A\nfor token request PEA -> PEA: Evaluate Policy based\non Input Data -PEA --> ASA: Token Issuance\nDecision (Permit/Deny) +PEA --> ASA: Token Issuance Decision (Permit/Deny) deactivate PEA ASA --> Client: Access Token, Refresh Token note left: Access Token bound to\nclient's DPoP public key deactivate ASA -Client -> Client: Generate DPoP Key Pair +Client -> Client: Generate DPoP Token Client -> PEP_A: Access Protected Resource\n(with Access Token and DPoP Proof) activate PEP_A PEP_A -> PEP_A: Validate Access Token\nand DPoP Proof