An intermediary AS by Verified ID team for **Authorization code grant**

## Rationale: ~~MSFT had a plan to use eSTS for Authorization code flow and a new AS for pre-authorized code flow, which meant different AS for the same RS/Credential endpoint.~~ ~~This set up complicates the spec. We are exploring a way to use the same AS for both flows:~~ ~~- Option 1: eSTS supports pre-authorized code grant (obviously already supports authorization code grant)~~ - Option 2: Verified ID team implements an AS that can be used for both flows, where in authorization code flow it would talk to eSTS via client credentials grant. # An intermediary AS by Verified ID team for **Authorization code grant** ```plantuml actor User as U box Wallet participant "Wallet" as W end box participant "Issuer\nWeb App" as Iss box AS/RS by VerifiedID team participant "Intermediary\nAS (Authorization endpoint and token endpoint)" as AS1 participant "Credential\nEndpoint" as RS1 end box box Existing AAD AS participant "eSTS" as AS2 participant "MSFT Graph\n(Resource)" as RS2 end box hide footbox U -> Iss: [opt] user interaction Iss -> Iss: generate QR code. W -> Iss: scan QR code. W-> AS1: obtains Intermediary AS's metadata group obtaining Access Token W -> AS1: Authorization Request 2 AS1 -> AS2: Authorization request 1 note over AS1: Intermediary AS redirects eSTS's log in screen to the user. User logs in at eSTS. return authorization code 1 AS1 -> AS2: Token Request w/ code 1 return Access Token 1 (valid at eSTS) Note over AS1: OBO flow to obtain Access Token 3 \nvalid at MSFT Graph (can be later) AS1 -> W: code 2 W -> AS1: Token Request w/ code 2 return Access Token 2 (valid at Int. AS) end group Credential Request W -> RS1: Credential Request w/Access Token 2 RS1 -> AS1: 15. Access Token 2 Note over AS1: maintains the mapping\nbtw AT3 and AT2. AS1 -> RS2: Credential Request w/Access Token 3 return data about the user from MSFT Graph AS1 -> RS1: data to put into a VC RS1 -> W: VC issued end ``` One client_id from eSTS perspective is an efficiency gain # An intermediary AS by Verified ID team for **Pre-Authorized code grant** ```plantuml actor User as U box Wallet participant "Wallet" as W end box participant "Issuer\nWeb App" as Iss box AS/RS by VerifiedID team participant "Intermediary\nAS (Authorization endpoint and token endpoint)" as AS1 participant "Credential\nEndpoint" as RS1 end box box Existing AAS AS participant "eSTS" as AS2 participant "MSFT Graph\n(Resource)" as RS2 end box hide footbox U -> Iss: [opt] uploads data (selfie, pdf, etc.) Iss -> Iss: generate QR code. W -> Iss: scan QR code\ncontaining `credential_offer_uri` W -> Iss: obtain a Credential Offer Object\nfrom the `credential_offer_uri`. return Credential Offer Object\nwith pre-authorized code. W-> AS1: obtains metadata of Intermediary AS\nand Credential Endpoint using `credential_issuer`\nin the Credential Offer Object group obtaining Access Token W -> AS1: Token Request w/ pre-authorized code return Access Token 2 end group Credential Request W -> RS1: Credential Request w/ Access Token 2 RS1 -> AS1: Access Token 2 return data to put into a VC RS1 -> W: VC issued end ```