C.2 Detailed flow for inter-domain MC user service authorization using OpenID Connect token exchange

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

Figure C.2-1 shows the detailed message flow for inter-domain MCX user authentication and service authorisation using the OpenID Connect token exchange method as described in Annex B.

Figure C.2-1: Inter-domain user authentication and service authorisation

Steps 0-3: These steps are the same as described in steps 0-3 of Figure C.1-1, which provide the initial network access, network security, HTTPS tunnel to IdM server, user authentication, IMS authentication, and SIP registration.

Step 4: This step represents the culmination of steps C-1 through C-5 in Figure 5.1.3.1-1, which authorises the user for services in the primary domain. As part of this step the UE obtains the user’s profile, which specifies both the local (primary domain) and the non-local (partner domain) group services.

Step 5: From the user’s profile, the UE identifies group service(s) home to a partner domain. The user profile includes metadata of the group service(s) and information about the partner IdMS (i.e. the token endpoint host address and the "aud" parameter for use in the token exchange request).

Step 6a: Based on the OAuth token exchange procedure, the UE IdM Client performs a HTTP POST (token exchange) request to the user’s primary IdM Server token endpoint. This request consists of the access token obtained in step 3 and information about the partner IdMS (i.e. the "aud" parameter obtained from the user profile group metadata).

Step 6b: The primary IdM Server token endpoint verifies the access token and returns a security token specific to the partner IdM Server.

Step 7: The UE establishes a secure HTTP tunnel with the partner IdM token endpoint using HTTPS.

Editor’s Note: It is FFS how the TLS tunnel between the visiting user and the partner systems IdM server is authenticated.

Step 8a: The UE IdM Client performs a HTTP POST token request to the partner IdM token endpoint to exchange the security token for an access token. This message is defined in [19].

Step 8b: The partner IdM Server token endpoint verifies the security token and issues an access token specific to the user and the user’s local MC group service(s).

NOTE 1: Additional access tokens may be requested as needed by repeating steps 8a and 8b.

Step 9: For each group service, the GM client in the UE follows the "Retrieve group configurations at the group management client" flow as shown in clause 10.1.5.2 of TS 23.280 [36], presenting an access token in the Get group configuration request over HTTP. If the access token is valid, the GMS authorises the user for the specific group management service. Completion of this step results in the GMS sending the user’s group policy information and group key information to the GM client. This step is repeated for each additional group service that is home to this partner domain.

NOTE 2: Steps 5–9 are repeated for user service authorization to services in each additional partner domain.

Annex D (Normative):
KMS provisioning messages