Swimlanes.io is a free webapp for making sequence diagrams. You simply edit the text on the left and the diagram is updated in real time. You can download your sequence diagrams as images or distribute with a link.
Title: Wallet provider interface with wallets note: For this implementation wallet attestation is unique and generated from device secure element order : User, Wallet, Wallet-provider group: User initializes the wallet user -> wallet: scan QR code for configuration wallet -> wallet: if wallet already initialized display message to user wallet -> wallet: store wallet provider URL and user login and password wallet -> wallet-provider: GET /nonce wallet-provider -> wallet-provider: generate nonce wallet-provider -> wallet: nonce wallet -> user: wallet request PIN code user-> wallet: PIN code wallet -> wallet: wallet checks if PIN code is correct wallet --> user: 3 trials maximum wallet -> wallet: generates P-256 hardware key for the wallet provider backend authentication wallet -> wallet: generates salt and store salt wallet -> wallet: derive PIN code with salt : hash256(PIN code + salt) wallet -> wallet: generate hardware key for wallet attestation and get key certificate from secure element wallet --> wallet: Optional DeviceCheck API call to Google and Apple wallet -> wallet: build and sign assertion with wallet provider backend authentication key, nonce, salted PIN code, attestation key certificate, login and password Wallet -> wallet-provider: POST /initialisation with assertion wallet-provider -> wallet-provider: check assertion signature wallet-provider -> wallet-provider: check wallet key certificate wallet-provider -> wallet-provider: build and sign wallet attestation wallet-provider -> wallet-provider: build and sign configuration wallet-provider -> wallet-provider: If not GUEST store for user : wallet attestation jti, cnf, statuslist index, salted PIN code and harware key (index) wallet-provider -> wallet: attestation and configuration (200) wallet -> wallet: check signatures of both jwt wallet -> wallet: store wallet attestation wallet -> wallet: apply configuration end: group: Wallet authenticates to wallet provider backend note, user: the same token can be used for several tasks in a lmimited period of time of 5min, no refresh token wallet -> user: wallet request PIN code user-> wallet: PIN code wallet -> wallet: derive PIN code with salt wallet -> wallet: build and sign assertion wallet -> wallet-provider: POST /token with assertion wallet-provider -> wallet-provider: Check trial iteration (3 max) wallet-provider -> wallet-provider: check assertion signature wallet-provider -> wallet-provider: If not GUEST get wallet key and salted_pin_code from user database and compare wallet-provider --> wallet: HTTP/1.1 401 Unauthorized wallet-provider -> wallet-provider: issue bearer token bound to the key wallet-provider -> wallet: bearer token bound to key (JWE ?) end: group: User updates configuration user -> wallet: user clics on update configuration wallet -> wallet-provider: GET /nonce wallet-provider -> wallet-provider: generate nonce wallet-provider -> wallet: nonce group: PIN code check : Wallet authenticates to wallet provider backend wallet <-> user: PIN code wallet-provider <-> wallet: bearer token / 200 end: wallet -> wallet: build and sign DPoP wallet -> wallet-provider: POST /update-configuration with bearer token and DPoP wallet-provider -> wallet-provider: verify token and DPoP wallet-provider -> wallet-provider: read wallet configuration for the user and sign jwt wallet-provider -> wallet: configuration as jwt (200) end: group: Wallet requests remote signing wallet -> wallet: wallet prepares a hash to sign for an OIDC4VC issuance of presentation step note, user: the same token can be used to sign different messages with different keys wallet -> wallet-provider: GET /nonce wallet-provider -> wallet-provider: generates nonce wallet-provider -> wallet: nonce group: Wallet authenticates to wallet provider backend user<-> wallet: PIN code wallet <-> wallet-provider: same as previous end: wallet -> wallet: build and sign DPoP wallet -> wallet-provider: POST /signHash with bearer token + DPoP, message to sign and kid wallet-provider -> wallet-provider: check token and DPoP wallet-provider -> wallet-provider: sign message with remote key wallet-provider -> wallet: signed message (200) end: group: User updates PIN code user -> wallet: change PIN code wallet -> wallet-provider: GET /nonce wallet-provider -> wallet-provider: generate nonce wallet-provider -> wallet: nonce group: Wallet authenticates to wallet provider backend user<-> wallet: PIN code wallet -> wallet-provider: same as previous end: wallet -> user: wallet requests new PIN code with confirm input field user-> wallet: new PIN code wallet -> wallet: build and sign DPoP wallet -> wallet-provider: POST /update_pin with Bearer token, DPoP and new salted pin code wallet-provider -> wallet-provider: check token and DPoP wallet-provider -> wallet-provider: store new salted PIN wallet-provider -> wallet: 200 end: