On issue #335d, with Cigdem's influence, I had concluded that it would be best just to keep Grant Fig 1 (the main grant swimlane) as it is, though with a bit more introduction. However, I did just create a couple of extra ASCII swimlanes, trying to come up a way to add small swimlanes to the "claims push" and "claims redirect" discussions. I think they, or something like them, may be kinda helpful.

Thoughts? Worth putting in the spec somewhere, or maybe the UIG? Or is the critical insight that both of them can start with either 401/new ticket or 403/rotated ticket, which could/should be factored out into a separate diagram?

Token endpoint/claims push, showing the two options for responses that may cause the client to push claims:

                        authorization resource
client                      server     server
  |                           |          |
  |401 response with new permission      |
  |ticket, authz server location         |
  |<-------------------------------------|
  |                           |          |
  |            OR             |          |
  |                           |          |
  |403 response with rotated  |          |
  |permission ticket (e.g.    |          |
  |with need_info error,      |          |
  |required_claims hint)      |          |
  |<--------------------------|          |
  |                           |          |
  |RPT request with           |          |
  |permission ticket (e.g.    |          |
  |with claim token)          |          |
  |-------------------------->|          |

Claims redirect, showing the two options for responses that may cause the client to start interactive claims gathering:

requesting                             authorization resource
  party        client                      server     server
    |            |                           |          |
    |            |401 response with new permission      |
    |            |ticket, authz server location         |
    |            |<-------------------------------------|
    |            |                           |          |
    |            |            OR             |          |
    |            |                           |          |
    |            |403 response with rotated  |          |
    |            |permission ticket (e.g.    |          |
    |            |with need_info error,      |          |
    |            |redirect_user hint)        |          |
    |            |<--------------------------|          |
    |            |                           |          |
    |Redirect    |                           |          |
    |user with   |                           |          |
    |permission  |                           |          |
    |ticket      |                           |          |
    |<-----------|                           |          |
    |Follow redirect to authz server         |          |
    |--------------------------------------->|          |
    |Interactive claims gathering            |          |
    |<- - - - - - - - - - - - - - - - - - - >|          |
    |Redirect back with rotated permission   |          |
    |ticket                                  |          |
    |<---------------------------------------|          |
    |Follow      |                           |          |
    |redirect    |                           |          |
    |to client   |                           |          |
    |----------->|                           |          |
    |            |RPT request with permission|          |
    |            |ticket                     |          |
    |            |-------------------------->|          |

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl