@startuml autonumber box "User's Devices" participant "Wallet Instance" as wm participant "User Agent" as u end box box "Verifier" participant "Frontend" as r participant "CrossDevice \nStatus Endpoint" as se participant "Wallet Discovery \nEndpoint" as wde participant "Request uri \nEndpoint" as rp participant "Redirect uri \nEndpoint" as rb end box u -> r: HTTP Request\n protected Resource activate r r -> r: the User-Agent is not authenticated r -> wde: originating request relayed deactivate r activate wde wde -> wde: detect Cross or Same Device flow wde -> wde: create a transaction-id alt Cross Device flow wde --> u: HTML page with JS, transaction-id and \nQR Code with\n request_uri endpoint, client_id<font color=blue>, discovery_uri_endpoint, d_nonce</font> activate wm wm -> wm: Open the Wallet Instance, \nlocal authentication \nframe QR code wm -> wm: Scan QR Code and extract:\n request_uri<font color=blue>, discovery_uri_endpoint, d_nonce</font> deactivate wm loop Until expiry, failed or successful response u -> se: Ajax HTTP request with transaction-id (GET|POST) se -> se: check presentation status if: \nobtained, valid and user authenticated se --> u: HTTP/1.1 200 OK \n{"redirect_uri": https url} end else Same Device flow wde --> u: HTTP Redirect (302) with: \nrequest_uri endpoint, client_id<font color=blue>, discovery_uri_endpoint, d_nonce</font> u -> wm: provide HTTP Found location end wm -> wde: HTTP <font color=blue>POST discovery endpoint with client_assertion: WIA~POP(d_nonce)</font> wde -> wde: evaluates Wallet Instance capabilities \n(AAL, Metadata)\n update the session bound to the web cookie wde --> wm: <font color=blue>HTTP 200 </font> deactivate wde wm -> rp: HTTP GET to request_uri with Request Object +web cookie rp -> rp: create (signed) presentation request object \n(client_id, nonce, response_uri, \npresentation_definition, state) rp --> wm: **signed request object** (client_id, nonce, response_uri, presentation_definition, state) wm -> wm: authenticate and authorize the RP note right wm: user consent and selection of disclosed data wm -> wm: create verifiable presentation (credential) wm -> rb: post response (vp_token, presentation_submission, state) activate rb rb -> rb: validate presentation \n(nonce binding) rb -> rb: evaluates presented credential alt Cross device rb --> u: <b>Ajax loop at step number 11</b> obtained {"redirect_uri": https url to the protected resource} else Same device rb -> u: HTTP/1.1 302 found (redirect to the protected resource) u -> wm: obtain location end u -> r: HTTP Request to the protected resource deactivate rb @enduml
Decode URL
Submit
amiga
aws-orange
black-knight
bluegray
blueprint
cerulean-outline
cerulean
crt-amber
crt-green
cyborg-outline
cyborg
hacker
lightgray
mars
materia-outline
materia
metal
mimeograph
minty
plain
reddress-darkblue
reddress-darkgreen
reddress-darkorange
reddress-darkred
reddress-lightblue
reddress-lightgreen
reddress-lightorange
reddress-lightred
sandstone
silver
sketchy-outline
sketchy
spacelab
spacelab-white
superhero-outline
superhero
toy
united
vibrant
🎉 Discover the future PlantUML Web Editor! 🚀
PNG
SVG
ASCII Art
🎉 Discover the future PlantUML Web Editor! 🚀
PNG
SVG
ASCII Art
