C.1 Detailed flow for MC user authentication and registration using OpenID Connect

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

Figure C.1-1 shows the detailed flow for MC User Authentication and Registration using the OpenID Connect messages as described in annex B.

Figure C.1-1: OpenID Connect MC User Authentication and Registration

Step 0: The UE attaches/registers to the network, establishes normal connectivity, and sets up network security by following the procedures defined in TS 33.401 [14] or as defined in TS 33.501 [55]. Local P-CSCF in the Home IMS network is discovered at this point.

Step 1: The UE IMS/SIP Client authenticates with the primary IMS/SIP core. For IMS authentication, 3GPP TS 33.203 [9] applies.

Step 2: The SIP core sends a SIP 3rd Party Registration to the MCX application Server(s), notifying them of the MC UE SIP registration. The 3^rd party REGISTER message includes the registered IMPU and S-CSCF’s SIP-URI or IP Address.

Step 3a: The IdM client in the UE issues a HTTPS Authentication request to the OIDC based IdM Server in the MC network. The client includes the code_challenge value in this request.

Step 3b: The MC User Identity and associated credentials are provided to the IdM server. The credentials are successfully authenticated (and optionally authorized) by the IdM Server.

Step 3c: The IdM Server may optionally request user consent for granting the MCX client access to the MCX service in the MCX Server.

Step 3d: The IdM Server generates an authorization code that is associated with the code_challenge provided by the client. It sends a browser redirect HTTP message with the Authorization Response containing the authorization code.

Step 3e: The UE IdM Client performs a HTTP POST request to exchange the authorization code for an access token. In the request, the client includes the code-verifier string. This string is cryptographically associated with the code_challenge value provided in the Authorization Request in Step 3a.

Step 3f: The IdM Server verifies the IdM Client based on the received code-verifier string and issues a 200 OK with an access token and ID token (specific to the MC user and MCX service(s)) included in it.

NOTE: The server verifies by calculating the code challenge from the received code_verifier and comparing it with the code_challenge value provided by the client in Step 3a.

Step 3g: The access token and ID token are made available to the MCX client(s).

Step 4: The MC UE performs user service authorization.