Purpose

Register users in Cabinet via integrated system of digital identification.

Endpoints used for integration is described here

Sequence diagram

https://sequencediagram.org

Auth Flow

Front-end: ReCaptcha validation

Front-end render reCAPTCHA form and user interact with it. Result of reCAPTCHA validation is token, that used for Auth Request as ID.

Front-end: Initialize auth request

Create new auth request in short-life term storage with auth data (client_id, redirect_uri, scope).
ReCAPTCHA token must used as ID for auth request.

Auth request used for security reasons and helps to prevent CSRF with a white list of auth URLs.

Apiary

Front-end: Generate link and redirect to id.gov.ua login page

Front-end generates link and redirects client to id.gov.ua login page with next params:

Mithril: Get User info from id.gov.ua

After successful login via id.gov.ua, clients browser redirected to Mithril endpoint with authorization code and state.

1. Get AuthRequest from in-memory DB
2. Validate AuthRequest:
   1. if AuthRequest not found - return 401 error
   2. if AuthRequest expired - return 401 error
3. Validate reCAPTCHA token (state):
   1. if invalid - return 401 error
4. Exchange authorization code to access token in id.gov.ua (API documentation)
5. Get User Info (tax_id, first_name, last_name, email) by access token from id.gov.ua (API documentation) 

Mithril: Create UserRequest 

1. Search user in users table by tax_id
   1. if user found:
      1. Search person in MPI by user.person_id
      2. if person found → /wiki/spaces/EH/pages/583403011
      3. if person not found → continue registration
   2. if user not found → continue registration
2. Create UserRequest with tax_id, first_name, last_name, email fields in temporary DB
3. Generate JWT with UserRequest id (user_request_id)
4. Redirects to Front-end Sign-Up page with JWT

Front-end: Registration form

Front-end renders registration from with prefilled data, that fetched from Mithril (Apiary) by JWT

Mithril: Get UserRequest

1. Validate JWT expiration and claim
   1. if JWT is invalid - return 401 error
2. Get user_request_id from JWT
3. Search UserRequest by user_request_id
   1. if NOT found - return 404 error
   2. if found - validate expiration
      1. if expired - return 410 error

Apiary

Front-end: Register Patient

Send registration form to IL

Apiary

IL: Create Person

Process of person creation with id.gov.ua is very close to /wiki/spaces/PCAB/pages/583402002

The difference is that the form data is not signed and users personal data should be verified using UserRequest in Mithril, and not with DS

1. Validate JWT expiration and claim
   1. if JWT is invalid - return 401 error
2. Get user_request_id from JWT
3. Get UserRequest from Mithril (Apiary)
   1. if UserRequest expired or not found - return 409 error
4. Ignore preferred_way_communication from input and set it to phone
5. Validate Form input via Json Schema (described in /wiki/spaces/PCAB/pages/583402002)
6. Create User in MPI (described in /wiki/spaces/PCAB/pages/583402002)
7. Create Token for Consent dialog
8. Send back created User, Patient and Token 

Apiary

Front-end: Consent page and Cabinet

1. Show to user Consent Page with scopes that application requests.
2. If user grant access, create code grant token in Mithril (Apiary)
3. Redirect client to redirect_uri from previous response
4. Application exchange code grant to access token (Apiary)
5. Redirect to Cabinet Landing Page