@startuml hide footbox skinparam sequence { ArrowColor Black ActorBorderColor Black ActorBackgroundColor #BBBBBB LifeLineBorderColor Black LifeLineBackgroundColor #BBBBBB ParticipantBorderColor Black ParticipantBackgroundColor #AAAAAA 'ParticipantFontName Impact 'ParticipantFontSize 17 'ParticipantFontColor #BBBBBB 'ActorBackgroundColor aqua 'ActorFontColor DeepSkyBlue 'ActorFontSize 17 'ActorFontName Aapex } skinparam note { BackgroundColor #EEEEEE BorderColor Black FontStyle Italic } 'skinparam defaultFontName Consolas actor "Reefer Operator" as RO <> actor "Ship Operator" as RP <> participant "Ship Software" as C <> participant "Reefer APIs" as RS <> participant "Logistics Operator" as AS <> group Resource registration RO->RS: Register Resource note over RS: Authorization Server is either preconfigured or provided at loading time group Resource Server discovers Authorization Server configuration RS->AS: /uma-configuration AS-->RS: JSON end group group Resource Owner authentication (PAT) RS->AS: /auth AS-->RO: "Please authenticate" note over AS, RO: Reefer Operator authenticates using PDA/smartphone AS->RS: PAT end group group Client (Resource Server) registers resource RS->AS: /register {PAT} AS-->RS: Resource Info end group end group Group non-UMA flow note over RS, AS: At this point, the reefer operator will register a policy for the reefer (e.g., Ship Operator A can access this reefer's APIs). RS->AS: Register policy AS-->RS end group group Resource Access RP->C: Start monitoring software note over C: Resource URIs are discovered as the reefers are loaded into the ship group Resource Server tells Client where to get authorization C->RS: /resource RS->C: 401 Unauthorized end group group Client discovers Authorization Server configuration C->AS: /uma-configuration AS-->C: JSON end group group Requesting Party authentication (AAT) C->AS: /auth AS-->RP: "Please authenticate" note over AS, RP: Ship Operator is implicitly authenticated (e.g., already logged into the ship's monitoring software which acts as UMA Client) AS->C: AAT end group alt A policy is pre-defined group Client gets an RPT with a supporting policy behind it C->AS: /rpt {AAT} AS->C: RPT end group group Client successfully access to resource using RPT C->RS: /resource {RPT} RS->AS: /introspect {RPT} note over RS, AS: Not required if RPT is self contained RS<--AS: {"active": true, ...} RS->RS: cache RPT validation status RS->C: 200 OK end group else A policy is not pre-defined group Client gets an empty RPT C->AS: /rpt {AAT} AS->C: RPT end group group Client tries to access resource using RPT C->RS: /resource {RPT} RS->AS: /introspect {RPT} RS<--AS: {"active":false} note over RS, AS: Need to generate a Ticket for Client to request more permissions RS->AS: /ticket AS->RS: Ticket RS->C: 403 Not enough permissions {Ticket} note over RS, C: Resource Server tells Client where to go get more permissions using ticket end group group Client requests more permissions C->AS: /authz {RPT, Ticket} AS->AS: Check Policy note over AS: Not enough claims and/or permissions to make a decision:\nNeed to check with Resource Owner.\nAt this point, the Authorization Server will start a claims-gathering flow AS-->RO: "Notification: Somebody wants to access your resource" AS->C: NeedClaims {waiting for Resource Owner's authorization} end group ... Client waits for Resource Owner to approve request and then retries ... group Client requests more permissions (retry) C->AS: /authz {RPT, Ticket} AS->AS: Check Policy note over AS: Permission has been granted, provide final RPT AS->C: RPT end group group Client retries access to resource using RPT C->RS: /resource {RPT} RS->AS: /introspect {RPT} note over RS, AS: Not required if RPT is self contained RS<--AS: {"active": true, ...} RS->RS: cache RPT validation status RS->C: 200 OK end group end alt group Client access to resource using RPT (second time) C->RS: /resource {RPT} note over RS, AS: RPT is validated locally if self-contained, or cache is used. RS->C: 200 OK end group end group @enduml