# General eID-Workflow (2021-07-08) ###### tags: `workflow diagram` ```plantuml actor "User" as USER participant "ONCE Wallet" as APP participant "AusweisApp2 SDK" as SDK participant "eID card" as EID participant "SSI-Provisioning Service" as PS participant "ID Gateway" as IDG participant "eID-Service" as AUTENT autonumber USER->APP: Create SSI-Credential from PA APP->PS: Start SSI-Credential Process PS<-->IDG: Start OpenID Connect Discovery PS->APP: Call Wallet with tcTokenUrl (OpenID Connect Authentication Request) note over APP, SDK The ONCE Wallet has to transmit the tcTokenUrl to the SDK. The tcToken-Mechanism is explained in BSI TR 03124 und 03130. See example below. end note group SDK-Process group eID step 1 (Connection SDK<->eID-card) APP->SDK: cmd RUN_AUTH(tcTokenURL) SDK<-->IDG: Get tcToken APP<-SDK: msg AUTH APP<-SDK: msg ACCESS_RIGHTS note over APP,SDK Authorization certificate and data fields end note APP<->USER: Display authorization certificate APP->SDK: cmd ACCEPT APP<-SDK: msg INSERT_CARD APP<->USER: Prompt user to present ID card SDK<-->EID: Get status APP<-SDK: msg ENTER_PIN/CAN APP<->USER: Prompt for PIN/CAN APP->SDK: cmd SET_PIN/CAN SDK<-->EID: Authenticate with PIN end group eID step 2 SDK<-->AUTENT: eID PAOS Communication APP<-SDK: msg AUTH (redirectURL) note over SDK,PS The requested data are sent to the ID Gateway at the end of eID step 2. end note end end APP->IDG: Call redirectURL PS<-IDG: Redirect with Authorization Code PS<-->IDG: Get Identity Token PS<-->IDG: Get userinfo PS->APP: Send user data for further processing APP->USER: Show notice to user ``` # tcToken example ```xml <TCTokenType> <ServerAddress>https://testpaos.governikus-eid.de:443/ecardpaos/paosreceiver</ServerAddress> <SessionIdentifier>f38d49df-48e6-497d-a953-3311104001ed</SessionIdentifier> <RefreshAddress>https://test.governikus-eid.de/gov_autent/async?refID=_3111337f9cbab[...]</RefreshAddress> <CommunicationErrorAddress/> <Binding>urn:liberty:paos:2006-08</Binding> <PathSecurity-Protocol>urn:ietf:rfc:4279</PathSecurity-Protocol> <PathSecurity-Parameters> <PSK>90d4b876ed9f681b19062651d19b43b500c654e74cc547c0f5ddf[...]</PSK> </PathSecurity-Parameters> </TCTokenType> ``` ### eID Interaction diagram, generic service ```plantuml actor "User" as USER participant "ONCE Wallet" as APP participant "AusweisApp2 SDK" as SDK participant "eID card" as EID participant "Service Provider" as PS participant "ID Gateway" as IDG participant "eID-Service" as AUTENT autonumber USER->PS: Initiate eID data request interaction (e.g. by clicking "sign in") PS<-->IDG: Start OpenID Connect Discovery PS->APP: Share tcTokenUrl (OpenID Connect Authentication Request) with wallet (QR Code, deep Link) note over APP, SDK The ONCE Wallet has to transmit the tcTokenUrl to the SDK. The tcToken-Mechanism is explained in BSI TR 03124 und 03130. See example below. end note group SDK-Process group eID step 1 (Connection SDK<->eID-card) APP->SDK: cmd RUN_AUTH(tcTokenURL) SDK<-->IDG: Get tcToken APP<-SDK: msg AUTH APP<-SDK: msg ACCESS_RIGHTS note over APP,SDK Authorization certificate and data fields end note APP<->USER: Display authorization certificate APP->SDK: cmd ACCEPT APP<-SDK: msg INSERT_CARD APP<->USER: Prompt user to present ID card SDK<-->EID: Get status APP<-SDK: msg ENTER_PIN/CAN APP<->USER: Prompt for PIN/CAN APP->SDK: cmd SET_PIN/CAN SDK<-->EID: Authenticate with PIN end group eID step 2 SDK<-->AUTENT: eID PAOS Communication APP<-SDK: msg AUTH (redirectURL) note over SDK,PS The requested data are sent to the ID Gateway at the end of eID step 2. end note end end APP->AUTENT: Call redirectURL (RefreshAddress from tcToken) APP<-AUTENT: redirect to validated AssertionConsumerUrl with SAML Response APP->IDG: Follow redirect APP<-IDG: redirect to ID Gateway APP->IDG: Follow redirect APP<-IDG: redirect to redirect url from Authentication Request + authorization code APP->PS: Link to Service Provider PS->IDG: send Token Request PS<-IDG: return access_token and ID Token PS->IDG: send userinfo request PS<-IDG: return userinfo USER<-PS: show notice to user ``` 18 (redirectURL) `https://governikus.de/gov_autent/async?refID=_665dc2675527a7b0f0e369623042732b8256c5ce` Call to fetch SAML Respone, **refID** is single use 20 `https://governikus.de/AutentIDConnect/saml-redirect-binding-consumer?SAMLResponse=[...]&RelayState=[...]&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=[...]&ResultMajor=ok` SAML Response to ID Gateway, **SAMLResponse** contains encrypted user data 22 `https://governikus.de/AutentIDConnect/saml-redirect-user-redirect-endpoint?RelayState=[...]` internal ID Gateway redirect 24 `https://app.server.de/client/authcode?code=[...]&state=[...]` Redirect to Service Provider with OpenID Connect Authentication Response **code** can be send with Token Request but is only valid if used by the Service Provider client_id with the Service Provider authentication