Fig-16: General detailed flow of a service request
This section addresses Reqs. D1.2-2.14-Priv, D1.2-2.15-Resp, D1.2-2.18-AnCredi, D1.2-2.19-AzCredi, D1.2-2.20-Az, D1.2-6.12-Sec, D1.2-6.17-TechBind, D1.2-7.3-An, D1.2-7.8-NoColl, D1.2-7.16-Nym, D1.2-7.21-Safe, D1.2-4.2-BPPrivacy, D1.2-4.4-CourtProof.
Fig-16: General detailed flow of a service request
Fig-16 shows the core flow.
A client application wishing to call some service in another organization, initiates the call.
The Client PEP will enforce outbound authorization decision. To be able to do this, it first engages in Trust and Privacy Negotiation, which is a discovery process, see Section 3.6, and then forwards the request to the web services stack.
Web services Stack (the "Stack") will compose a request message including the identity tokens that are needed and signs the message. It then send the message to the Stack on the service side.
The service Stack will authenticate the sending Stack and verify the digital signature. The acceptance of the message will depend on a degree of trust on the signing party, which was established during the Trust and Privacy Negotiation.
The service inbound PEP will consult the Master PDP to determine if the service request should be allowed to go forward.
The inbound PEP will pass the request to the payload service, which will reply.
The outbound PEP of the Service will validate that the data can be released and attach obligations.
The Stack at the service correlates the response to the request, signs it and sends the response.
The client Stack receives the response, checks its correlation with the request, and verifies the signatures in the response.
The client inbound PEP checks that the response is authorized and complies with the obligations that were received.
The payload message is passed to the Client Application.