Post Authentication script - maduvena/jans-docs GitHub Wiki

title Mapping OAuth Scopes to ACR

actor Person
participant Browser
participant Website
participant Auth Server
participant API

entryspacing 1.2
Website->Browser: html form
Person->Browser: Update PII
Browser->Website: POST
Website->API: 1. request some endpoint
API->API:  2. Enforce\n presence of \n 'otp' scope\n in  access_token
API->Website: 3. 401 Unauthorized\nWWW-Authenticate: Bearer error="insufficient_user_authentication" 
Website->Browser: 4. redirect to AS
Browser->Auth Server:5. authorize?acr_values=otp\n&client_id=1234\n&scope=otp + other scopes\n&response_type=code\n&client_id=____\n&redirect_uri=____\n&state=_____\n&nonce=____\n&prompt=login
group Authn Script
Auth Server->Auth Server: 6.a Get userid,\nscopes from session;\nreturn None if user\nsession is false
Auth Server->Browser: 6.b Display OTP Page
Person->Browser: 6.c enter OTP
Browser->Auth Server: 6.d POST OTP form
Auth Server->Auth Server: 6.e  validate OTP
end
Auth Server->Browser: 7. redirect to callback
Browser->Website: 8. callback URI
Website->Auth Server: 9. /token + client creds
Auth Server->Website: 10. access_token, id_token,\nrefresh_token
Website->API: 11. request some endpoint\n(with new access_token)
API->Auth Server: 12. introspection or\nobtain public key to\nvalidate JWT signature
group Introspection Script
Auth Server->Auth Server: 13. Lookup associated\nid_token and add a\nnew scope value\nfor each acr
end
Auth Server->API: 14. JSON or JWKS
API->API: 15. Enforce\n presence of \n 'otp' scope\n in  access_token\n.\n.\n.