Alternative flows uitgewerkt
spone
Authorization
Authorization request wordt verstuurd, maar er wordt niets ontvangen (1a)
404 browser error. Er wordt niets ontvangen (received request), dus er volgt geen response.
Authorization request wordt verstuurd, maar mag niet verwerkt worden door DVA (1b)
Door problemen omtrent de client ID/redirect uri klopt beveiliging niet, dit resulteert in foutpagina bij de DVA en bij de DVA foutcode in de logging.
Invalid request
Afgehandeld door de DVA (12) (tonen op een scherm van de DVA)
{ "event": { "type": "receive_authorization_request", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:14:23.618+01:00", "session_id": "c6a27d45-4316-464e-81e0-48d5dbccacbb", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488", "client_id": "mijn.pgo.nl", "server_id": "api.as.dva.nl", "redirect_uri": "https://mijn.pgo.nl/medmij" "state": "ipcxyhlbjtvduydtneoaflwiismwxfmj" }, "error": { "status": "400", "code": "invalid_request", "description": "Invalid redirection uri https://api.as.dva.nl/2.0.0/authorize"} } } }
DVP
Niet van toepassing, conform 'duiding van fouten'.
De DVA moet een foutmelding tonen en mag de Persoon niet terugsturen naar de DVP. De DVP kan dus niets loggen.
Authorization request wordt verstuurd, maar kan niet goed verwerkt worden door DVA (1c)
Deze flow kan resulteren in een diversiteit aan HTTP status codes (inclusief foute parameters of dat niet alle parameters er zijn).
DVA
{ "event": { "type": "send_error_authorization_request", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:14:23.618+01:00", "session_id": "c6a27d45-4316-464e-81e0-48d5dbccacbb", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488", }, "error": { "status": "400", "code": "invalid_request", "description": "invalid_parameter" or "missing_parameter" } }
DVP
{ "event": { "type": "send_error_authorization_request", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:16:55.518+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488" }, "error": { "status": "400", "code": "invalid_request" or "missing_parameter" } }
De eerste landingspagina DVA wordt getoond, maar de Persoon klikt op annuleren (1e)
Authorization Server informeert DVP Server over deze uitzondering. DVP Server informeert Persoon dat diens verzoek geen voortgang kan vinden, maar laat de oorzaak daarvan helemaal in het midden.
DVA
{ "event": { "type": "send_authorization_cancellation", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:16:53.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cd2-a2c0-4893-bd97-240621c3e488" }, "error": { "status": "403", "code": "access_denied", "description": "authentication_cancellation" } }
DVP
{ "event": { "type": "receive_authorization_cancellation", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:16:55.518+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cd2-a2c0-4893-bd97-240621c3e488" }, "error": { "status": "403", "code": "access_denied" } }
Authentication
De DVA ontvangt een negatief resultaat op het authentificatie proces (400). (2a)
{ "event": { "type": "receive_negative_artifact_response", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:16:57.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "1ea26300-0178-4fea-8db3-f88390b896b4", "request_type": "SAML_assertion" }, "error": { "status": "400", "code": "access_denied" } }
Beschikbaarheidstoets
Persoon is geauthenticeerd, maar resultaat beschikbaarheidstoets is negatief (alt flow 3a)
DVA
{ "event": { "type": "negative_answer_availability_request", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:16:58.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488", "method": "get", "client_id": "mijn.pgo.nl", "server_id": "api.as.dva.nl", "service_id": "49", "uri": "https://api.as.dva.nl/2.0.0/availability", "provider_id": "een.huisarts@medmij" }, "error": { "status": "403", "code": "access_denied", "description": "no_data_available" } }
Toestemming
Toestemmingsverklaring wordt getoond, maar Persoon geeft geen toestemming door op annuleren te klikken(4a)
NB: bij 11 specifiek loggen "geen toestemming"
DVA send
{ "event": { "type": "send_authorization_cancellation", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:17:03.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488", "method": "get", "client_id": "mijn.pgo.nl", "server_id": "api.as.dva.nl", }, "error": { "status": "403", "code": "access_denied", "description": "consent_not_given" } }
DVP
{ "event": { "type": "receive_authorization_cancellation", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:17:04.518+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488", }, "error": { "status": "403", "code": "access_denied", } }
Een andere technische storing bij de Authorization server (authorization server kan zelf een technische fout hebben) (4b)
Dit kan de AS wel loggen. De DVA moet zelf een fout tonen op een scherm.
Token
Toestemming is gegeven en de DVP stuurt token request, maar krijgt time-out (5a)
Moet gelogd door DVP, DVA kan zo lang wachten op verwerken op gegevens dat er time-out wordt verzonden. Dit is iets anders dan onbeschikbaar zijn van resource interface.
DVP
{ "event": { "type": "server_time_out_at_token_request", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:16:58.518+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get", "client_id": "mijn.pgo.nl", "server_id": "api.ti.dva.nl", "uri": "https://api.ti.dva.nl/2.0.0/token" }, "error": { "status": "403" "code": "server_error" "description": "server_time_out" } }
Versturen token response (16) - parameters kloppen niet (alt. flow 5b.)
DVA
{ "event": { "type": "send_token_response_error", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:17:55.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get" }, "error": { "status": "400" "code": "invalid_request" "description": "missing_parameters" } }
DVP
{ "event": { "type": "receive_token_response_error", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:17:55.518+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get" }, "error": { "status": "400" "code": "invalid_request" } }
PGO verstuurt meerdere token requests en krijgt meerdere token responses terug van DVA. (kan alleen als er 1 positief is en de rest negatief) (5c)
Door verschillende request_id's zal de DVA alle verzoeken afhandelen.
Versturen token response (16) - De authorization code of het refresh token is verlopen of anderszins foutief (14, 15) (alt. flow 5d)
DVA
{ "event": { "type": "send_token_response_error", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:17:55.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get" }, "error": { "status": "400" "code": "invalid_grant" "description": "expired/invalid_refresh_token" or "expired/invalid_authorization_grant" } }
DVP
{ "event": { "type": "receive_token_response_error", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:17:55.518+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get" }, "error": { "status": "400" "code": "invalid_grant" "description": "expired/invalid_refresh_token" or "expired/invalid_authorization_grant" } }
Refresh token is tussentijds ingetrokken (beide partijen loggen)(5e)
DVA
{ "event": { "type": "send_token_response_error", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:17:55.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get" "client_id": "mijn.pgo.nl", "server_id": "api.ti.dva.nl", "uri": "https://api.ti.dva.nl/2.0.0/token" }, "error": { "status": "400" "code": "invalid_grant" "description": "Revoked/missing/invalid refresh token" or "Revoked/missing/invalid authorization grant" } }
DVP
{ "event": { "type": "receive_token_response_error", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:17:55.518+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get" }, "error": { "status": "400" "code": "invalid_grant" "description": "Revoked/missing/invalid refresh token" or "Revoked/missing/invalid authorization grant" } }
DVP gebruikt de verkeerde (verkeerd, verlopen, ingetrokken) server certificaten (5f)
(voordat request wordt verzonden wordt er een TLS tunnel aangemaakt, en die mislukt. dus loggen in technologie laag, op dezelfde bol → json?)
{ "event": { "type": "send_token_response_error", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:17:55.518+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get" }, "error": { "status": "401" "code": "invalid_client" "description": "unknown client" } }
DVA gebruikt de verkeerde (verkeerd, verlopen, ingetrokken) server certificaten (5g)
Versturen token response (16) - DVP gebruikt de verkeerde (verkeerd, verlopen, ingetrokken) server certificaten (15) (alt. flow 5g .) - inva
{ "event": { "type": "send_token_response_error", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:17:55.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get" }, "error": { "status": "401" "code": "invalid_client" "description": "unknown client" } }
Token server is niet beschikbaar (5h)
DVA
{ "event": { "type": "token_server_unavailable", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:17:58.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get", "client_id": "mijn.pgo.nl", "server_id": "api.ti.dva.nl", "uri": "https://api.ti.dva.nl/2.0.0/token" }, "error": { "status": "403" "code": "server_error" "description": "server_unavailable" } }
Resource
Access token is verkregen, resource request is verstuurd, maar krijgt time-out (15 minuten) 403 (6a)
Access token is niet meegestuurd (6b)
Versturen Resource response (24) - missend token (alt. flow 6b)
{ "event": { "type": "send_resource_response_error", "location": "api.rs.dva.nl", "datetime": "2023-03-28T22:20:23.236+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488" }, "error": { "status": "401", "code": "invalid_token", "description": "The access token is missing" } }
Access token is verlopen (6c)
Versturen Resource response (24) - invalid token (alt. flow 6c)
{ "event": { "type": "send_resource_response_error", "location": "api.rs.dva.nl", "datetime": "2023-03-28T22:20:23.236+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488" }, "error": { "status": "401", "code": "invalid_token", "description": "The access token expired" } }
Resource komt niet voor in de scope van het access token (6d)
Niet meer van toepassing
Versturen Resource response - Het resultaat beschikbaarheidstoets is negatief (alt. flow 6e)
{ "event": { "type": "send_resource_response_error", "location": "api.rs.dva.nl", "datetime": "2023-03-28T22:20:23.236+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488" }, "error": { "status": "403", "code": "access_denied" or "forbidden", "description": "not enough privileges" } }
Resource (bron) is niet beschikbaar (op dit moment)
Resource server is niet beschikbaar (403)
DVA
{ "event": { "type": "send_resource_server_unavailable", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:17:58.518+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "d804ccfd-1b9e-40a1-b740-9f59da562b55", "method": "get", "client_id": "mijn.pgo.nl", "server_id": "api.ti.dva.nl", "uri": "https://api.ti.dva.nl/2.0.0/token" }, "error": { "status": "403" "code": "server_error" "description": "server_unavailable" } }
PGO krijgt 403 als patient of PGO niet geauthorizeerd is om zib te leveren (400-derds is fout van de aanroepen.)
DVA
{ "event": { "type": "send_resource_response_authorization_error", "location": "api.rs.dva.nl", "datetime": "2023-03-28T22:20:23.236+01:00", "session_id": "d7382884-865e-4185-8347-2c4922d8ef73", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488" "method": "get", "client_id": "mijn.pgo.nl", "server_id": "api.as.dva.nl", "service_id": "49", "information": { "successfull": [0, 1], "unsuccessfull": [5,6] }, "uri": "https://api.as.dva.nl/2.0.0/availability", "provider_id": "een.huisarts@medmij" }, "error": { "status": "403", "code": "access_denied" or "forbidden", "description": "not_enough_privileges" } }
DVP
{ "event": { "type": "send_resource_response_authorization_error", "location": "mijn.pgo.nl", "datetime": "2023-03-28T22:20:23.236+01:00", "session_id": "8f57f91c-c4f3-4fd1-8463-c4212de3fac0", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488" "service_id": "49", "information": { "successfull": [0, 1], "unsuccessfull": [5,6] }, "provider_id": "een.huisarts@medmij" }, "error": { "status": "403", "code": "access_denied" or "forbidden", } }
Geen errors, schermen of reacties
Bij de alternatieve flows 1a, 1e en 1g worden geen errors teruggegeven, nieuwe schermen getoond of reacties teruggestuurd naar de DVP of DVA.
Bij alternatieve flow 1a is dit het geval doordat het authorization request wel verzonden is maar nooit aankomt. Er kan dan wel gelogd worden bij de DVP dat het request verzonden is maar als deze nooit aankomt dan weet de DVA niet dat het request er ooit is geweest. De DVP weet pas als deze niets terug krijgt dat er iets mis is gegaan. Loggen of berichten sturen bij flow 1a is dan niet mogelijk.
Voor de alternatieve flow 1e en 1g sluit de persoon zelf de browser of scherm. Pas als de sessie time out dan wordt pas bekend dat de sessie is afgebroken. De oorzaak achterhalen kan pas achteraf door de log-data te analyseren.
Ontvangen van het authorization request door de DVA- fout/missende parameters → Weg?
Afgehandeld door de DVA (2) (tonen op een scherm van de DVP)
{ "event": { "type": "receive_authorization_request_error", "location": "api.as.dva.nl", "datetime": "2023-03-28T22:14:23.618+01:00", "session_id": "c6a27d45-4316-464e-81e0-48d5dbccacbb", "trace_id": "79dc6181-6239-4fdd-ad98-594312aeac71" }, "request": { "id": "8b5d6cb2-a2c0-4893-bd97-240621c3e488", "client_id": "mijn.pgo.nl", "server_id": "api.as.dva.nl", "redirect_uri": "https://mijn.pgo.nl/medmij" "state": "ipcxyhlbjtvduydtneoaflwiismwxfmj" }, "error": { "status": "400", "code": "invalid_request", "description": "Invalid redirection uri https://api.as.dva.nl/2.0.0/authorize"} } } }
Changelog
Datum | Wijziging |
---|---|
17-4-23 | Hoofdstuk indeling van per onderwerp naar de nummering in Alternative flows. Toevoegen aantal uitgewerkte flows |