- From: Ulf Bjorkengren <ulfbjorkengren@geotab.com>
- Date: Tue, 5 May 2020 10:28:35 +0200
- To: Isaac Agudo Ruiz <isaac@lcc.uma.es>
- Cc: public-automotive <public-automotive@w3.org>
- Message-ID: <CAHfMbK9zs8osseTn0bV=6xh5XdtWYNVewffMeHk4rpfc+T9mtg@mail.gmail.com>
Hi, I really like Isaac's proposal. However, I think we should also support an alternative flow which does not require the Client App to manage the public-private key pair. The attached sequence diagram, which only differs from Isaac's proposal in the first sequence steps, is my proposal on what that might look like. BR Ulf On Sun, May 3, 2020 at 11:09 PM Isaac Agudo Ruiz <isaac@lcc.uma.es> wrote: > Hello everyone, > > I have prepared a diagram to serve as a starting point for discussions in > the next meeting. I have combined the standard Oauth Flow with the concept > of service accounts. User could the the car owner or the manufacturer. > > Having a key pair per app would enable also another interesting use case, > at least from my perspective: Encrypted responses. The Vehicle Server can > use the public key of the app to encrypt responses, avoiding the need for > TLS in the back channel. I order to avoid it in the requests, they should > also be encrypted using the vehicle server public key. I think removing the > TLS dependency in the last step, could affect performance in a good way. > > I have used the following tool to create the diagrams, in case someone > wants to amend them: https://sequencediagram.org > > Best, > > Isaac. > > ****** > > Here is the source code and the diagram in PNG: > > title User delegating access to Client App > > actor User > participant Client App > participant AuthzServer > participant AuthnServer > participant Vehicle Server > > > note over User: Install Client App > User-->*Client App:<<create>> > note over Client App: Generates Key Pair > aboxright over User,AuthzServer: User delegates access to Client App by > \nidentifiying the Public Key, e.g. QR codes\n and set app permisions, e.g. > using roles > note over Client App: Generates JWT with iat \nset to current UNIX time > Client App->AuthnServer: Request access token using JWT > note over AuthnServer,AuthzServer: Check permisions > AuthnServer-->Client App: Token response > Client App -> Vehicle Server: Request Signal using Access Token > note over Vehicle Server: Check Token > Vehicle Server-->Client App: Signal response > > -- Ulf Bjorkengren *Geotab* Senior Connectivity Strategist | Ph. D. Mobile +45 53562142 Visit www.geotab.com
Attachments
- image/png attachment: OAuth-2.png
- image/jpeg attachment: User_delegating_access_to_Client_App__alternative_flow.jpg
Received on Tuesday, 5 May 2020 08:28:14 UTC