Thoughts? Worth putting in the spec somewhere, or maybe the UIG? Or is the critical insight that both of them can start with either 401/new ticket or 403/rotated ticket, which could/should be factored out into a separate diagram?
Token endpoint/claims push, showing the two options for responses that may cause the client to push claims:
authorization resource
client server server
| | |
|401 response with new permission |
|ticket, authz server location |
|<-------------------------------------|
| | |
| OR | |
| | |
|403 response with rotated | |
|permission ticket (e.g. | |
|with need_info error, | |
|required_claims hint) | |
|<--------------------------| |
| | |
|RPT request with | |
|permission ticket (e.g. | |
|with claim token) | |
|-------------------------->| |
Claims redirect, showing the two options for responses that may cause the client to start interactive claims gathering:
requesting authorization resource
party client server server
| | | |
| |401 response with new permission |
| |ticket, authz server location |
| |<-------------------------------------|
| | | |
| | OR | |
| | | |
| |403 response with rotated | |
| |permission ticket (e.g. | |
| |with need_info error, | |
| |redirect_user hint) | |
| |<--------------------------| |
| | | |
|Redirect | | |
|user with | | |
|permission | | |
|ticket | | |
|<-----------| | |
|Follow redirect to authz server | |
|--------------------------------------->| |
|Interactive claims gathering | |
|<- - - - - - - - - - - - - - - - - - - >| |
|Redirect back with rotated permission | |
|ticket | |
|<---------------------------------------| |
|Follow | | |
|redirect | | |
|to client | | |
|----------->| | |
| |RPT request with permission| |
| |ticket | |
| |-------------------------->| |
Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl