Walkthrough

Markus Sabadello edited this page Jan 28, 2015 · 12 revisions
Clone this wiki locally

This is a description and walkthrough for the XDI Cloud Card Viewer.

Scenario

This web application displays XDI Cloud Cards, which may include public and/or private data. In order to access the private data, a "connection invitation" from an authorizing authority (AA) to a requesting authority (RA) is issued. This happens via an "XDI Connect" button on the Cloud Card.

RA: =markus / [=]!:uuid:91f28153-f600-ae24-91f2-8153f600ae24
AA: =andrepm / [=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97

Walkthrough

Step 1: The user (RA) views the AA's Cloud Card in their browser. Only public data is displayed.

The Cloud Card has an "XDI Connect" button, which contains an XDI connection invitation. The purpose of the XDI connection invitation is to invite the RA to send a connection request to the AA, in order to ask the AA to establish a new XDI link contract in the AA's XDI Cloud. The XDI connection invitation also invites the RA to request the entire Cloud Card including private data.

The user clicks the "XDI Connect" button.

The XDI connection invitation embedded in the "XDI Connect" button:

[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@0/$is()/({$to})
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@0/$do/({$to}/[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa)[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa#community$do
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@0/$is$do/([=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97/[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa)[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa#community$do
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@0$do/$do$is{}/+danubeclouds#forever{$do}
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@0{$card}/$is/[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@0<#return><$uri>&/&/"https://cloud-cards.xdi2.org/PROD/%5B%3D%5D%21%3Auuid%3A37d37c44-5551-46f3-9264-e4dd2ebbbf97%5B%24card%5D%21%3Auuid%3A88b6c8ea-3976-42f8-96c3-253039005911"
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@0<$sig>&/&/"....."
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@0<$sig>/$is#/$sha$256$rsa$2048
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1/$is()/({$to})
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1/$do/({$to}/[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa)[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa#community$do
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1/$is$do/([=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97/{$to})+danubeclouds#forever$do
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1$do/$get$is/[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911
([=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1$do/$get$is)[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97/$is$ref/{}
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1$get<$deref>&/&/true
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1<#return><$uri>&/&/"https://cloud-cards.xdi2.org/PROD/%5B%3D%5D%21%3Auuid%3A37d37c44-5551-46f3-9264-e4dd2ebbbf97%5B%24card%5D%21%3Auuid%3A88b6c8ea-3976-42f8-96c3-253039005911"
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1<$sig>&/&/"....."
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$msg]@1<$sig>/$is#/$sha$256$rsa$2048

Return URI of the AA:

https://cloud-cards.xdi2.org/PROD/%5B%3D%5D%21%3Auuid%3A37d37c44-5551-46f3-9264-e4dd2ebbbf97%5B%24card%5D%21%3Auuid%3A88b6c8ea-3976-42f8-96c3-253039005911

Address of the XDI link contract template:

[+]!:uuid:02f30164-997d-4184-b949-5ca1ab1eda7a#forever{$do}

Address of the RA's XDI community link contract:

({$to}/[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa)[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa#community$do

Address of the AA's XDI community link contract:

([=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97/[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa)[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa#community$do

XDI link contract template:

[+]!:uuid:02f30164-997d-4184-b949-5ca1ab1eda7a#forever{$do}/$get/{$card}

Step 2: After clicking the "XDI Connect" button, the XDI connection invitation is submitted to the XDI Connect Service.

The sole purpose of this service is to find the user's XDI Auth Service. This intermediate step is necessary because XDI cloud names and cloud numbers are abstract identifiers that rely on a Discovery Service.

Possible alternatives to the XDI Connect Service may be: 1. Using an XDI-aware browser plugin to intercept the "XDI Connect" button, or 2. Using client-side JavaScript to fulfill the same purpose as the XDI Connect Service.

The user types their cloud name and clicks the "Continue" button. A cookie can be set to omit this step in subsequent flows.


Step 3: After clicking the "Continue" button, the XDI Connect Service discovers the user's XDI Auth Service. This is the component of the user's XDI Cloud responsible for processing XDI connection invitations.

The user clicks the "Continue to your Personal Cloud" button. Note that in a production environment, steps 2 and 3 can be combined for better user experience.


Step 4: After clicking the "Continue to your Personal Cloud" button, the XDI connection invitation is submitted to the user's XDI Auth Service.

At this point, the user is asked to authenticate to their XDI Auth Service, before the XDI connection invitation can be processed.

The user types their password and clicks the "Continue" button. Additional authentication options may be possible depending on the configuration of the XDI Auth Service. A cookie can be set to omit this step in subsequent flows.


Step 5: After clicking the "Continue" button, the XDI Auth Service examines the XDI connection invitation and retrieves the XDI link contract template it references.

The details of the XDI connection invitation are presented to the user, who is asked to approve or reject it. An arrow on the screen indicates that personal data will flow from the AA's Cloud Card to the user (RA).

Note that this demo does not show certain advanced features of XDI, such as optional permissions or usage policies.


Step 6: Assuming the user approves, the XDI connection invitation is sent to their XDI Cloud. An XDI connection request is created based on the XDI connection invitation. The XDI connection request is sent to the AA's XDI Cloud, where a new XDI link contract is instantiated, based on the XDI link contract template.

Note that once the XDI connection request arrives at the AA's XDI Cloud, it may be automatically approved, automatically rejected, or "deferred" until the AA reviews and approve or reject it. In this walkthrough, it is assumed that the XDI connection request is automatically approved.

A confirmation page is displayed. The confirmation page has a "Return to Cloud Card" button, which contains an XDI connection result. The purpose of the XDI connection result is to return to the AA's Cloud Card the address of the new link contract instance. The entire Cloud Card including private data is also part of the XDI connection result.

The user clicks the "Return to Cloud Card" button.

The XDI connection result embedded in the "Return to Cloud Card" button:

+danubeclouds#forever{$do}/#/([=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97/[=]!:uuid:91f28153-f600-ae24-91f2-8153f600ae24)+danubeclouds#forever$do
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97/$is$ref/=andrepm
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911$public<#description>&/&/"This is my professional card"
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911$public<#tag>&/&/"work"
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911$public<#phone>&/&/"+351129889382"
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911$public<#connect><#button>&/&/"....."
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911$public<#last><#name>&/&/"Martins"
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911$public<#background><#image>&/&/"....."
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911$public<#first><#name>&/&/"Andre"
[=]!:uuid:37d37c44-5551-46f3-9264-e4dd2ebbbf97[$card]!:uuid:88b6c8ea-3976-42f8-96c3-253039005911$private<#email>&/&/"andre@danubeclouds.com"

Step 7: After clicking the "Return to Cloud Card" button, the XDI connection result is submitted to the AA's Cloud Card.

The AA's Cloud Card examines and validates the XDI connection result. It contains the address of the new XDI link contract. It also contains the entire Cloud Card including private data, which is displayed on the screen.

This constitutes the end of the XDI Connect flow.


Step 8: After completing the XDI Connect flow, the AA may log in to their Cloud Manager (source) and view the XDI link contract that has been instantiated.

Sequence Diagram

websequencediagrams.png

Source: websequencediagrams.txt