-
Notifications
You must be signed in to change notification settings - Fork 8
/
spc-general.puml
95 lines (86 loc) · 3.15 KB
/
spc-general.puml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
@startuml
autonumber
hide footbox
skinparam ParticipantPadding 20
skinparam BoxPadding 10
title General SPC Authentication Flow During Checkout
actor Consumer as Consumer
participant Merchant as Merchant <<Website>>
box "Web Browser Environment"
participant "Browser Rendering Engine" as Browser
participant "Browser Native UX" as Native
end box
box "Authenticator Environment (Browser/OS)"
participant "Authenticator"
end box
participant "Relying Party" as RP
note over Authenticator
Authenticator may be implemented in OS, Browser,
external hardware, or combination.
end note
note over Merchant
Merchant may use a PSP in this flow.
end note
Consumer->Merchant: Checkout Intent
Merchant->Browser: Provide checkout experience
Browser->Consumer: Render checkout experience
Consumer->Merchant: Click Pay Button
group Instrument selection
Merchant->Browser: Provide instrument selection UX
note over Merchant, Browser
Examples: Web form, card on file
end note
Browser->Consumer: Render instrument selection UX
Consumer->Merchant: Select instrument
end group
group Authentication
Merchant->RP: Request SPC Credentials associated with instrument
note over RP
RP has instrument / SPC Credential ID bindings after prior enrollment
end note
RP->Merchant: Return SPC Credentials (and possibly additional information for SPC call)
note over Merchant, Browser
If no SPC Credentials for instrument, merchant can authenticate differently
end note
Merchant->Browser: Call SPC
note over Merchant, Browser
Input: Amount, currency, payee info, SPC Credential IDs, instrument info, unique challenge
end note
note over Merchant, Browser
Once SPC invoked, control leaves merchant environment; no opportunity to tamper with data.
end note
Native->Consumer: Prompt user to authenticate to pay and show dynamic linking data.
note over Browser, Authenticator
Browser may delegate display to authenticators for added security.
end note
Consumer->Native: Agree to authenticate
Browser->Authenticator: Request authentication
Authenticator->Consumer: Prompt user to authenticate (e.g., biometric)
Consumer->Authenticator: Authenticate
alt#Gold #LightBlue Successful authentication
Authenticator->Authenticator: Sign amount, currency, payee, instrument info, challenge
note over Authenticator
SPC Assertion constitutes authentication code mandated by RTS. Signed
data is what user saw. Unchanged between display
and cryptographic signature.
end note
Authenticator -> Browser: SPC Assertion with signature over data
else #Pink Failure
Authenticator -> Browser: Authentication Rejected
end
Browser->Merchant: Return authentication result
Merchant->RP: Communicate authentication result for verification
note over RP
Relying Party is authoritative source of information and thus can
verify that signed data displayed to the user matches
what it knows on server (challenge, instrument info, etc.).
end note
RP->RP: Validation (using public key that is part of enrolled SPC Credential)
Merchant<-RP: Verification result
end group
group Authorization
Merchant->RP: Request authorization
RP->Merchant: Authorization response
end group
Merchant-->Consumer: Checkout Completed
@enduml