participant "<size:20>Consumer" as Consumer #F6C589
participant "<size:20>Accredited Data Recipient" as ADR #98D7C4
participant "<size:20>Data Holder" as DH #62B6E4

lifelinestyle Consumer #F6C589:4
lifelinestyle ADR #98D7C4:4
lifelinestyle DH #62B6E4:4

note over Consumer, DH #dce4e5:** <size:20>Step 1: Setup consent request 

activate ADR #98D7C4

Consumer -#F6C589:4> ADR:<size:18>Establish TLS 1.2

Consumer -#F6C589:4> ADR:<size:18>Provide consent via consent screens

ADR -#98D7C4:4> ADR:<size:18>Create signed request object with\nrequested scopes and claims

ADR -#98D7C4:4> DH:<size:18>Establish MTLS 1.2

ADR -#98D7C4:4> DH:<size:18>Call par end point with request object

DH -#62B6E4:4> DH:<size:18>Validate request\nobject signature

DH -#62B6E4:4> ADR:<size:18>Cache object and return\nrequest URI reference

ADR -#98D7C4:4> Consumer:<size:18>Redirect (HTTP 302) to DH\nauthorize end point with\nrequest uri reference

deactivate ADR


space 5


note over Consumer, DH #dce4e5:** <size:20>Step 2: Authorise consent

activate DH #62B6E4

Consumer -#F6C589:4> DH:<size:18>Establish TLS 1.2

Consumer -#F6C589:4> DH:<size:18>Call authorize end point as per ADR 302 redirect

DH -#62B6E4:4> DH:<size:18>Validate authorize\nparameters against \nregistered client\ninformation

DH -#62B6E4:4> DH:<size:18>Get request object\nfrom par cache and \nvalidate contents

DH -#62B6E4:4> Consumer:<size:18>Show authentication page

Consumer -#F6C589:4> DH:<size:18>Provide user ID

DH -#62B6E4:4> Consumer:<size:18>Send out of band OTP

Consumer -#F6C589:4> DH:<size:18>Provide OTP to complete authentication

DH -#62B6E4:4> DH:<size:18>Determine if consumer\nhas multiple profiles

opt #efdd83 
DH -#62B6E4:4> Consumer:<size:18>Ask consumer to select profile

Consumer -#F6C589:4> DH:<size:18>Profile selected (determines sharing context)
end

DH -#62B6E4:4> Consumer:<size:18>Present consent authorisation screens

Consumer -#F6C589:4> DH:<size:18>Confirm consent authorisation

opt #efdd83
DH -#62B6E4:4> Consumer:<size:18>Present account list for inclusion

Consumer -#F6C589:4> DH:<size:18>Select accounts to include in sharing (including JAMS)
end

DH -#62B6E4:4> Consumer:<size:18>Request final approval

Consumer -#F6C589:4> DH:<size:18>Approve authorisation

DH -#62B6E4:4> DH:<size:18>Generate ADR facing\nauthorization-code

DH -#62B6E4:4> DH:<size:18>Store arrangement details

alt #7bc0e0 if existing arrangement_id included in consent

  DH -#62B6E4:4> DH:<size:18>Update arrangement to\nindicate continuity

end

DH -#62B6E4:4> Consumer:<size:18>Redirect (HTTP 302) back to ADR\nwith accept state and authorization-code

deactivate DH


space 5


note over Consumer, DH #dce4e5:** <size:20>Step 3: Exchange tokens


Consumer -#F6C589:4> ADR:<size:18>Redirect to redirect URI\nwith accept state and\nauthorization-code

activate ADR #98D7C4

ADR -#98D7C4:4> ADR:<size:18>Validate the authorization-code\nand ensure it relates to\nan initiated consent

ADR -#98D7C4:4> DH:<size:18>Establish MTLS 1.2

ADR -#98D7C4:4> DH:<size:18>Call token end point\nwith authorization-code

DH -#62B6E4:4> DH:<size:18>Validate stored consent\nand authorization-code

DH -#62B6E4:4> DH:<size:18>Generate access-token\nand refresh token

DH -#62B6E4:4> DH:<size:18>Bind access-token with\nclient certificate thumbprint

DH -#62B6E4:4> ADR:<size:18>Return access-token\nand refresh-token

deactivate ADR

space 5


note over Consumer, DH #dce4e5:** <size:20>Step 4: Call resource end point

activate ADR #98D7C4

ADR -#98D7C4:4> DH:<size:18>Establish MTLS 1.2

alt #84d6bb if no valid access token

  ADR -#98D7C4:4> DH:<size:18>Call token end point\nwith refresh token

  DH -#62B6E4:4> DH:<size:18>Generate access token\nand optional new refresh token

  DH -#62B6E4:4> DH:<size:18>Bind access token with\nclient certificate thumbprint

  DH -#62B6E4:4> ADR:<size:18>Return access token\nand optional new refresh token

end

ADR -#98D7C4:4> DH:<size:18>Call resource end point\nwith access token

DH -#62B6E4:4> DH:<size:18>Validate access token validity\nand certificate thumbprint

DH -#62B6E4:4> DH:<size:18>Validate scopes and\nclaims as needed

DH -#62B6E4:4> ADR:<size:18>Return CDR data

deactivate ADR