[TSG-Access-RD] Another Model Take

[Hollenbeck, Scott]

As I said yesterday, I'm not comfortable with the way we approached the ladder diagrams. I think we made the diagrams more complicated and technically incorrect by mixing functions with the actors who perform them, so I tried to take a stab at focusing on the functions and ensuring that the flow is technically accurate. I've added the files to the drive with names that start with "SAH-Ladder".

The flow I described is not the one that assumes a CLI. If folks agree that this representation gets us where want, it would be a simple step to modify the first few interactions to describe how it works with a CLI.

Legend to the functions:

AE: Authorization Endpoint
TE: Token Endpoint
CP: Contracted Party

The AE and TE are functions performed by an Identity Provider. Separating them the way I did in the diagram allows us to simplify the ladder diagram AND makes it clear that the functions can be performed by different entities.

It may be worth revisiting how OpenID Connect and OAuth work before we proceed with assumptions about token generation and processing.

Scott