C_12470_Anlage

Änderungen in I_Authorization_Service.yaml  sendAuthCodeFdV description;

• Klarstellung: "access to device management" nur im Homesystem
• Fehlercode: für Nutzung DeviceAttestation im HomeSystem

**Provider**:</br>
The provided authorization code shall be exchanged for an ID-Token with the IDP. The ID-Token shall be converted
into a HSM-ID-Token with an extended validity period.

**Device verification - home system:**</br>
If _x-device-identifier_ and _x-device-token_ are both submitted the device verification starts immediately after
the authorization completion.
Device identifier and -token shall be verified with the registered values.
The x-device-identifier / x-device-token check shall only consider device registrations for the authorized user.

If _x-device-identifier_ and _x-device-token_ are both missing (i.e. not yet registered device) access of the 
user session shall be limited to the device management service.

**Device verification - other than home system:**</br>
If _x-device-attestation_ is submitted the device verification starts immediately after the authorization completion.
The authorization service shall accept a device attestation in case
  - signature is valid
  - "exp" expiration_time is a timestamp 120 minutes in the future "iat".
  - current time is greater or equal than 'iat' and less than 'exp' with 15 seconds tolerance ('iat' - 15s <= current time < 'exp' + 15s).          
  - claim _actorId_ from device attestation matches kvnr of ID-Token or HSM-ID-Token.

If the device attestation is valid by signature and time, and the KVNR submitted in device attestation matches the 
KVNR of the authorized user the authorization service shall accept the device registration.

On success (ID-Token / HSM-ID-Token received and device binding check successful) a new user session shall be instantiated, 
associated to the HSM-ID-Token.

If device verification succeeds, access to all services of a health record shall be possible for the associated
user session.
if x-authorize-representative is set, access to the user's health record entitlement management only shall be
possible for the user session.
In all other (success cases) access of the user session shall be limited to the device management service.

The user session of a client shall be closed and all session related data shall be deleted in case operation is not successful.

The VAU user preudonym as generated for the vau-channel (see: vau protocol) shall be returned in a successful operation response.

| Conditions | Status code | Error code | Remarks |
|------------|-------------|------------|---------|
| Successful operation | 200 |||
| Request does not match schema | 400 | malformedRequest ||
| Only _x-device-identifier_ or _x-device-token_ provided | 400 | paramExcpected | both parameters required or none |
| (_x-device-identifier_ and/or _x-device-token_) and _x-device-attestation_ provided | 400 | paramExcpected | use only registration of home system, another system or none (yet unregistered device) |
| _x-device-attestation_ provided in home system | 400 | paramExcpected | home system shall only accept _x-device-identifier_ and _x-device-token_ |
| _authorize_representative_ is set and _x-device-identifier_ and/or _x-device-token_ and/or x-device-attestation_ provided | 400 | authorizeRep | _x-authorize_representative_ from preceding sendAuthorizationRequestFdV |
| Requestor role is not _oid_versicherter_ | 403 | invalidOid ||
| _authorizationCode_ not valid | 403 | invalAuth | includes any error of Authorization Service and IDP which is not mapped to 500 internal Server error |
| Wrong _x-device-token_  | 403 | invalidToken | if both parameters avaiable and allowed|
| Invalid _x-device-attestation_ | 403 | invalSignature ||
| Device registration does not exist (_x-device-identifier_)| 404| noResource | also if device is not associated to requestor kvnr |
| Device registration not confirmed (_status_ == _pending_) | 409 | statusMismatch | confirm pending device registration before retry |
| Any other error | 500 | internalError | (see 'Retry interval') |