From 75a2ee2ac4e30e4f07783f7059941ed46a83e257 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Pe=C3=B1a=20Garc=C3=ADa-Oliva?=
 <jesus.penagarcia-oliva@telefonica.com>
Date: Mon, 20 Nov 2023 16:09:31 +0100
Subject: [PATCH 1/2] Auth code flow update to fix issue #70

---
 .../CAMARA-API-access-and-user-consent.md        | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/documentation/CAMARA-API-access-and-user-consent.md b/documentation/CAMARA-API-access-and-user-consent.md
index 70cacde5..39572216 100644
--- a/documentation/CAMARA-API-access-and-user-consent.md
+++ b/documentation/CAMARA-API-access-and-user-consent.md
@@ -151,14 +151,16 @@ alt Standard OIDC Auth Code Flow between Invoker and API Exposure Platform
   alt If Consent is Granted or Consent not needed for legal basis   
     ExpO-->>FE: 302<br>Location: invoker_callback?code=Operatorcode
   else If Consent is NOT granted - Consent Capture within AuthCode Flow  
-    Note over FE,ExpO: Consent capture  
-    alt when user grants consent / otherwise flow fails  
-      ExpO-->>FE: 302<br>Location: invoker_callback?code=Operatorcode
-    end  
-  end  
+    Note over FE,ExpO: Consent capture    
+    ExpO-->>FE: 302<br>Location: aggregator_callback?code=Operatorcode 
+  end
   FE-->>-BE: GET invoker_callback?code=OperatorCode
   BE->>ExpO: POST /token<br> code=OperatorCode
-  ExpO->>BE: 200 OK <br> {OperatorAccessToken}
+  alt If Consent is Granted or Consent not needed for legal basis
+    ExpO->>BE: 200 OK <br> {OperatorAccessToken}
+  else If Consent is NOT granted - Flow fails if there is no other granted scope
+    ExpO->>BE: 400 Bad Request <br> {error: invalid_request}
+  end
 end
 
 BE->>ExpO: Access Operator CAMARA API <br> Authorization: Bearer {OperatorAccessToken}        
@@ -190,7 +192,7 @@ Then, two alternatives may occur:
 - The operator performs the consent capture. Since the authorization code grant involves the frontend, the consent can be captured directly from the user.
 - Once the user has given consent, the authorization code flow continues by redirecting to the API invoker redirect_uri (invoker_callback) and including the authorization code (OperatorCode).
 
-Once the API invoker receives the redirect with the authorization code (OperatorCode - Step 9), it will retrieve the access token from the operator's API exposure platform (OperatorAccessToken) (Steps 10-11). The OperatorAccessToken issued is encrypted so that no relevant information is exposed.
+Once the API invoker receives the redirect with the authorization code (OperatorCode - Step 9), it will retrieve the access token from the operator's API exposure platform (OperatorAccessToken) (Steps 10-11). The OperatorAccessToken issued is encrypted so that no relevant information is exposed. If the user has not given consent, the access token will not contain the appropriate scopes, and if no other scopes are granted, the flow will fail.
 
 Now the API invoker has a valid access token that can be used to invoke the CAMARA API offered by the operator (Step 12).
 

From 1ead9a53d2eaa70c2a415908dd64f39e63320868 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Pe=C3=B1a=20Garc=C3=ADa-Oliva?=
 <jesus.penagarcia-oliva@telefonica.com>
Date: Tue, 19 Dec 2023 15:02:09 +0100
Subject: [PATCH 2/2] added Eric's rewording suggestion

---
 documentation/CAMARA-API-access-and-user-consent.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/documentation/CAMARA-API-access-and-user-consent.md b/documentation/CAMARA-API-access-and-user-consent.md
index 39572216..244bcf6a 100644
--- a/documentation/CAMARA-API-access-and-user-consent.md
+++ b/documentation/CAMARA-API-access-and-user-consent.md
@@ -151,7 +151,7 @@ alt Standard OIDC Auth Code Flow between Invoker and API Exposure Platform
   alt If Consent is Granted or Consent not needed for legal basis   
     ExpO-->>FE: 302<br>Location: invoker_callback?code=Operatorcode
   else If Consent is NOT granted - Consent Capture within AuthCode Flow  
-    Note over FE,ExpO: Consent capture    
+    Note over FE,ExpO: Start user consent capture process<br>following Section 3.1.2.4 of the OIDC Core 1.0 spec.    
     ExpO-->>FE: 302<br>Location: aggregator_callback?code=Operatorcode 
   end
   FE-->>-BE: GET invoker_callback?code=OperatorCode
@@ -189,7 +189,7 @@ Then, two alternatives may occur:
 
 **Scenario 2**: Consent is required and not yet provided by user (Step 8)
 
-- The operator performs the consent capture. Since the authorization code grant involves the frontend, the consent can be captured directly from the user.
+- The operator performs the consent capture following Section 3.1.2.4 of the OpenID Connect Core 1.0 specification. Since the authorization code grant involves the frontend, the consent can be captured directly from the user.
 - Once the user has given consent, the authorization code flow continues by redirecting to the API invoker redirect_uri (invoker_callback) and including the authorization code (OperatorCode).
 
 Once the API invoker receives the redirect with the authorization code (OperatorCode - Step 9), it will retrieve the access token from the operator's API exposure platform (OperatorAccessToken) (Steps 10-11). The OperatorAccessToken issued is encrypted so that no relevant information is exposed. If the user has not given consent, the access token will not contain the appropriate scopes, and if no other scopes are granted, the flow will fail.