From c1ba3a129087dcdae35d4235f283e0899e1a929f Mon Sep 17 00:00:00 2001 From: gem-cp Date: Tue, 3 Dec 2024 14:00:06 +0100 Subject: [PATCH] Architekturbild, BDE in TETA --- src/drawio/Zero-Trust_Architektur.drawio | 809 +++++++++--------- src/openapi/as_par_endpoint.yaml | 42 +- .../tmp/oidc_flow_with_PAR_high_level.puml | 42 + 3 files changed, 478 insertions(+), 415 deletions(-) create mode 100644 src/plantuml/tmp/oidc_flow_with_PAR_high_level.puml diff --git a/src/drawio/Zero-Trust_Architektur.drawio b/src/drawio/Zero-Trust_Architektur.drawio index a2d7734..94ddd43 100644 --- a/src/drawio/Zero-Trust_Architektur.drawio +++ b/src/drawio/Zero-Trust_Architektur.drawio @@ -1,401 +1,408 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/openapi/as_par_endpoint.yaml b/src/openapi/as_par_endpoint.yaml index f73cddd..d73ee63 100644 --- a/src/openapi/as_par_endpoint.yaml +++ b/src/openapi/as_par_endpoint.yaml @@ -1,14 +1,14 @@ openapi: 3.0.0 info: - title: OAuth 2.0 Pushed Authorization Request Endpoint (RFC 8628 Section 3) + title: OAuth 2.0 Pushed Authorization Requests (PAR) Endpoint (RFC 9126) version: 1.0.0 servers: - url: https://as.example.com paths: /par: post: - summary: Push authorization request payload - description: Enables clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint. + summary: Submit an authorization request to the PAR endpoint + description: This endpoint allows clients to push the payload of an OAuth 2.0 authorization request directly to the authorization server. requestBody: content: application/x-www-form-urlencoded: @@ -17,29 +17,35 @@ paths: properties: response_type: type: string - description: The requested response type. Must be set to "code" for requesting an authorization code. - enum: [code] + description: REQUIRED. OAuth 2.0 Response Type value. client_id: type: string - description: The client identifier issued to the client during the registration process. + description: REQUIRED. The client identifier as described in Section 2.2 of RFC 6749. redirect_uri: type: string - description: The URI to which the authorization server redirects the user-agent after authorization. - format: uri + description: OPTIONAL. As described in Section 3.1.2 of RFC 6749. scope: type: string - description: The scope of the access request. + description: OPTIONAL. The scope of the access request as described by Section 3.3 of RFC 6749. state: type: string - description: An opaque value used by the client to maintain state between the request and callback. - # ... all other applicable authorization request parameters and client authentication parameters + description: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. + code_challenge: + type: string + description: OPTIONAL. PKCE code challenge as described in RFC 7636. + code_challenge_method: + type: string + description: OPTIONAL. PKCE code challenge method as described in RFC 7636. + request: + type: string + description: OPTIONAL. JWT-encoded request object as defined in RFC 9101. required: - response_type - client_id - - redirect_uri + responses: 201: - description: Successful response with request URI. + description: The authorization request has been successfully processed. content: application/json: schema: @@ -47,7 +53,7 @@ paths: properties: request_uri: type: string - description: The request URI corresponding to the posted authorization request. + description: The request URI that can be used to reference the pushed authorization request at the authorization endpoint. expires_in: type: integer description: The lifetime in seconds of the request URI. @@ -67,3 +73,11 @@ paths: error_uri: type: string description: A URI pointing to a web page with more information about the error. + 401: + description: Unauthorized. Client authentication failed. + 405: + description: Method Not Allowed. The method is not POST. + 413: + description: Payload Too Large. The request size exceeds the allowed limit. + 429: + description: Too Many Requests. The client has exceeded the allowed request rate. \ No newline at end of file diff --git a/src/plantuml/tmp/oidc_flow_with_PAR_high_level.puml b/src/plantuml/tmp/oidc_flow_with_PAR_high_level.puml new file mode 100644 index 0000000..1f74d96 --- /dev/null +++ b/src/plantuml/tmp/oidc_flow_with_PAR_high_level.puml @@ -0,0 +1,42 @@ +@startuml +participant cl as "Client" +participant AuthS as "Authorization Server" +participant IDP +participant ua as "User Agent" +participant rs as "Resource Server" + +cl -> AuthS: PAR-Anfrage (POST) mit \nClient-ID, Antworttyp, \nWeiterleitungs-URI, Scope, \nStatus, Code Challenge, \nCode Challenge Method +activate AuthS +AuthS -> cl: Request URI (JSON) +deactivate AuthS + +cl -> ua: Weiterleitung mit Request URI +activate ua +ua -> AuthS: Autorisierungsanfrage (GET) \nmit Client-ID und Request URI +activate AuthS +AuthS -> ua: Weiterleitung zum IDP (302) +deactivate AuthS +ua -> IDP: Authentifizierungsanfrage +activate IDP +ua <-> IDP: Benutzerauthentifizierung +IDP -> ua: Weiterleitung zum Authorization Server \nmit Authentifizierungsinformationen +deactivate IDP +ua -> AuthS: Authentifizierungsinformationen +activate AuthS +AuthS -> ua: Zugriff erlauben/verweigern +ua <-> AuthS: Zugriff erlauben/verweigern +AuthS -> ua: Weiterleitung mit Code (302) +deactivate AuthS +ua -> cl: Weiterleitung mit Code (302) +deactivate ua + +cl -> AuthS: Token-Anfrage (POST) mit \nCode, Code Verifier, \nClient-ID, Client Secret, \nWeiterleitungs-URI +activate AuthS +AuthS -> cl: ID Token, Access Token (JSON) +deactivate AuthS + +cl -> rs: Zugriffsanfrage mit Access Token +activate rs +rs -> cl: Ressourcenzugriff +deactivate rs +@enduml \ No newline at end of file