C.1 Detailed flow for MCPTT user authentication and registration using OpenID Connect

33.1793GPPRelease 13Security of Mission Critical Push To Talk (MCPTT) over LTETS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

Figure D.1-1 shows the detailed flow for MCPTT User Authentication and Registration using the OpenID Connect messages as described in annex B.

Figure C.1-1: OpenID Connect MCPTT User Authentication and Registration

Step 0: The UE attaches to the network, establishes normal connectivity, and sets up network security as defined in 3GPP TS 33.401 [14]. Local P-CSCF in the Home IMS network is discovered at this point.

Step 1: The UE IMS Client authenticates with the Home IMS network. For IMS authentication, 3GPP TS 33.203 [9] applies.

Step 2: The SIP core sends a SIP 3rd Party Registration to the MCPTT application Server, notifying it of the MCPTT UE SIP registration. The 3^rd party REGISTER message includes the registered IMPU and S-CSCF’s SIP-URI or IP Address.

Step 3a: The IdM client in the UE issues a HTTPS Authentication request to the OIDC based IdM Server in the MCPTT network. The client includes the code_challenge value in this request.

Step 3b: The user provides the MCPTT User Identity and associated credentials to the IdM server. The user is successfully authenticated (and optionally authorized) by the IdM Server.

Step 3c: The IdM Server may optionally request user consent for granting the MCPTT client access to MCPTT services in the MCPTT Server.

Step 3d: The IdM Server generates an authorization code that is associated with the code_challenge provided by the client. It sends a browser redirect HTTP message with the Authorization Response containing the authorization code.

Step 3e: The UE IdM Client performs a HTTP POST request to exchange the authorization code for an access token. In the request, the client includes the code-verifier string. This string is cryptographically associated with the code_challenge value provided in the Authorization Request in Step 3a.

Step 3f: The IdM Server verifies the IdM Client based on the received code-verifier string and issues a 200 OK with an access token and ID token (specific to the MCPTT user and MCPTT services) included in it.

NOTE: The server verifies by calculating the code challenge from the received code_verifier and comparing it with the code_challenge value provided by the client in Step 3a.

Step 3g: The access token and ID token are provided to the MCPTT client.

Step 4: The MCPTT UE performs user authorization.

Annex D (Normative):
KMS provisioning messages to support MCPTT