Walkthrough

Markus Sabadello edited this page Jan 28, 2015 · 40 revisions
Clone this wiki locally

This is a description and walkthrough for the +acmenews XDI2 demo.

Scenario

A business requesting authority (RA) issues a "connection request" to request a cloud number for login purposes from an individual authorizing authority (AA). This happens via an "XDI Connect" button on a webpage.

RA: +acmenews / [+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5
AA: =markus / [=]!:uuid:91f28153-f600-ae24-91f2-8153f600ae24

Walkthrough

Step 1: The user (AA) views the RA's website in their browser.

The website has an "XDI Connect" button, which contains an XDI connection request. The purpose of the XDI connection request is to ask the AA to establish a new XDI link contract in the AA's XDI Cloud. The XDI connection request also asks for the AA's XDI cloud number.

The user clicks the "XDI Connect" button.

The XDI connection request embedded in the "XDI Connect" button:

[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@0/$is()/({$to})
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@0/$do/({$to}/[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa)[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa#community$do
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@0$do/$do{}/[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5#login{$do}
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@0<#return><$uri>&/&/"https://acmenews.projectdanube.org/acmenews-return"
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@0<$sig>&/&/"....."
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@0<$sig>/$is#/$sha$256$rsa$2048
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@1/$is()/({$to})
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@1/$do/({$to}/[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5)[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5#login$do
([+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@1$do/$get)/$is$ref/{}
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@1<#return><$uri>&/&/"https://acmenews.projectdanube.org/acmenews-return"
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@1<$sig>/$is#/$sha$256$rsa$2048
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5[$msg]@1<$sig>&/&/"....."

Return URI of the RA:

https://acmenews.projectdanube.org/acmenews-return

Address of the XDI link contract template:

[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5#login{$do}

Address of the AA's XDI community link contract:

({$to}/[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa)[+]!:uuid:ca51aeb9-e09e-4305-89d7-87a944a1e1fa#community$do

XDI link contract template:

([+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5#login{$do}/$get)/$is$ref/{}
([+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5#login{$do}$if$and/$true){$from}/$is/[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5
([+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5#login{$do}$if$and/$true){$msg}<$sig><$valid>&/&/true

Step 2: After clicking the "XDI Connect" button, the XDI connection request is submitted to the XDI Connect Service.

The sole purpose of this service is to find the user's XDI Auth Service. This intermediate step is necessary because XDI cloud names and cloud numbers are abstract identifiers that rely on a Discovery Service.

Possible alternatives to the XDI Connect Service may be: 1. Using an XDI-aware browser plugin to intercept the "XDI Connect" button, or 2. Using client-side JavaScript to fulfill the same purpose as the XDI Connect Service.

The user types their cloud name and clicks the "Continue" button. A cookie can be set to omit this step in subsequent flows.


Step 3: After clicking the "Continue" button, the XDI Connect Service discovers the user's XDI Auth Service. This is the component of the user's XDI Cloud responsible for processing XDI connection requests.

The user clicks the "Continue to your Personal Cloud" button. Note that in a production environment, steps 2 and 3 can be combined for better user experience.


Step 4: After clicking the "Continue to your Personal Cloud" button, the XDI connection request is submitted to the user's XDI Auth Service.

At this point, the user is asked to authenticate to their XDI Auth Service, before the XDI connection request can be processed.

The user types their password and clicks the "Continue" button. Additional authentication options may be possible depending on the configuration of the XDI Auth Service. A cookie can be set to omit this step in subsequent flows.


Step 5: After clicking the "Continue" button, the XDI Auth Service examines the XDI connection request and retrieves the XDI link contract template it references.

The details of the XDI connection request are presented to the user, who is asked to approve or reject it. An arrow on the screen indicates that personal data will flow from the user (AA) to the RA's website.

Note that this demo does not show certain advanced features of XDI, such as optional permissions or usage policies.


Step 6: Assuming the user approves, the XDI connection request is sent to their XDI Cloud, where a new XDI link contract is instantiated, based on the XDI link contract template.

A confirmation page is displayed. The confirmation page has a "Return to +acmenews Website" button, which contains an XDI connection result. The purpose of the XDI connection result is to return to the RA's website the address of the new link contract instance. The user's XDI cloud number is also part of the XDI connection result.

The user clicks the "Return to +acmenews Website" button.

The XDI connection result embedded in the "Return to +acmenews Website" button:

/$is$ref/([=]!:uuid:91f28153-f600-ae24-91f2-8153f600ae24)
[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5#login{$do}/#/([=]!:uuid:91f28153-f600-ae24-91f2-8153f600ae24/[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5)[+]!:uuid:0b0a38c7-1120-4194-ad4c-2f52acc0e1a5#login$do

Step 7: After clicking the "Return to +acmenews Website" button, the XDI connection result is submitted to the RA's website.

The RA's website examines and validates the XDI connection result. It contains the address of the new XDI link contract. It also contains the user's XDI cloud number, which the RA can use to establish a login session.

A confirmation page is displayed. This constitutes the end of the XDI Connect flow.


Step 8: This is an "internal view" of the RA's website. It lists the most recent successful XDI Connect flows, and the users' cloud numbers.


Step 9: After completing the XDI Connect flow, the AA may log in to their Cloud Manager (source) and view the XDI link contract that has been instantiated.

Sequence Diagram

websequencediagrams.png

Source: websequencediagrams.txt