Verifiable Credentials oauth sequence
@startuml name "Verifiable Credentials: LCWallet storage authorization"
!pragma teoz true
title "Storage authorization (OAuth2) flow"
autonumber
actor "Learner" as learner
box "DCC"
participant "Learner Credential Wallet\n(CLIENT)" as client
participant "Issuers Registry" as registry
end box
box "Open edX" #EEE
participant "LMS\n(AuthZ SERVER)" as lms
box "Credentials IDA"
participant "AuthN" as credentials
participant "Verifiable Credentials\n(RESOURCE)" as resource
end box
end box
== Configuration ==
rnote over lms: OAuth client created: \n- Django OAuth Toolkit \n- Authorization Code \n- Public (no secret)
/ rnote over credentials: Separate Resource Server configured: \n- Django OAuth Toolkit \n- RESOURCE_SERVER_INTROSPECTION_URL \n- RESOURCE_SERVER_AUTH_TOKEN
rnote over registry: Issuer registered: \n- Issuer ID \n -clientId \n- scopes \n- redirectUrl \n- authorizationEndpoint \n- tokenEndpoint
== Issuance ==
learner -> client : Clicks/scans deeplink (MFE UI)
rnote over client: Deep link params processed: \n- UUID (issuance line) \n- vc_request_url \n- issuer
client -> registry : Fetches authZ configuration \n(Issuer ID)
client <-- registry : OAuth2 configuration (or everything stops)
group "Authorization Code" flow [with PKCE]
client -> lms : Requests **"authorizationEndpoint"** \n(browser)
client <-- lms : authorization code \n(redirect)
client -> lms : Exchange code for access token **"tokenEndpoint"** \n(app)
client <-- lms : access token
end
rnote over client: Verifiable credential \nissuance request formed
client -> resource : Verifiable credential issuance request \n(access token used)
group Credentials authentication [see: Separate Resource Server]
lms <- credentials : Validates access token \n(RESOURCE_SERVER_INTROSPECTION_URL)
lms --> credentials : Access token status
activate resource
end
rnote over resource: Verifiable credential \nissuance
client <-- resource : Returns verifiable credential
deactivate resource
@enduml