add transaction token depp dive image

Author: kanywst

articles/assets/draft-ietf-oauth-transaction-tokens-deep-dive/cover.png

@@ -0,0 +1,28 @@
+direction: down
+
+User: "User"
+GW: "API Gateway" {
+  style.fill: "#e3f2fd"
+  style.stroke: "#1565c0"
+  style.font-color: "#0a0f25"
+}
+OrderSvc: "Order Service" {
+  style.fill: "#fff3e0"
+  style.stroke: "#e65100"
+  style.font-color: "#0a0f25"
+}
+RiskSvc: "Risk Service" {
+  style.fill: "#fce4ec"
+  style.stroke: "#c62828"
+  style.font-color: "#0a0f25"
+}
+PaySvc: "Payment Service" {
+  style.fill: "#fce4ec"
+  style.stroke: "#c62828"
+  style.font-color: "#0a0f25"
+}
+
+User -> GW: "OAuth access token"
+GW -> OrderSvc: "forwards the same token"
+OrderSvc -> RiskSvc: "forwards the same token"
+RiskSvc -> PaySvc: "forwards the same token"

articles/assets/draft-ietf-oauth-transaction-tokens-deep-dive/diagrams/01-token-forwarding-problem.d2

@@ -0,0 +1,26 @@
+direction: down
+
+TrustDomain: "Trust Domain" {
+  style.fill: "#e8f5e9"
+  style.stroke: "#2e7d32"
+  style.font-color: "#0a0f25"
+
+  TTS: "Txn-Token Service\n(TTS)" {
+    style.fill: "#c8e6c9"
+    style.stroke: "#2e7d32"
+    style.font-color: "#0a0f25"
+  }
+  GW: "API Gateway"
+  OrderSvc: "Order Service"
+  RiskSvc: "Risk Service"
+  PaySvc: "Payment Service"
+
+  GW -> TTS: "1. request a Txn-Token"
+  TTS -> GW: "2. issue a signed Txn-Token"
+  GW -> OrderSvc: "3. attach the Txn-Token"
+  OrderSvc -> RiskSvc: "forward the same Txn-Token"
+  RiskSvc -> PaySvc: "forward the same Txn-Token"
+}
+
+User: "User"
+User -> TrustDomain.GW: "OAuth access token"

articles/assets/draft-ietf-oauth-transaction-tokens-deep-dive/diagrams/01-token-forwarding-problem.png

@@ -0,0 +1,19 @@
+shape: sequence_diagram
+
+User: "External Client"
+GW: "External Endpoint\n(API Gateway)"
+TTS: "Txn-Token Service\n(TTS)"
+Svc1: "Order Service"
+Svc2: "Risk Service"
+
+User -> GW: "1. API request + access token"
+GW -> TTS: "2. Token Exchange (RFC 8693)\nsubject_token = access token\nscope = trade.stocks\nrequest_details = {BUY MSFT}"
+TTS -> TTS: "authenticate, verify subject_token,\nevaluate scope, sign"
+TTS -> GW: "Txn-Token (short-lived JWT)" {style.stroke-dash: 3}
+GW -> Svc1: "3. request + Txn-Token"
+Svc1 -> Svc1: "verify (JWS sig, aud, exp)"
+Svc1 -> Svc2: "forward Txn-Token unchanged"
+Svc2 -> Svc2: "verify Txn-Token"
+Svc2 -> Svc1: "response" {style.stroke-dash: 3}
+Svc1 -> GW: "response" {style.stroke-dash: 3}
+GW -> User: "4. API response" {style.stroke-dash: 3}

articles/assets/draft-ietf-oauth-transaction-tokens-deep-dive/diagrams/02-trust-domain-overview.d2

@@ -0,0 +1,16 @@
+shape: sequence_diagram
+
+Trigger: "Scheduler"
+Svc0: "Initiator"
+TTS: "TTS"
+Svc1: "Workload 1"
+Svc2: "Workload 2"
+
+Trigger -> Svc0: "timer fires / condition met"
+Svc0 -> TTS: "request Txn-Token\nsubject_token = Self-Signed JWT"
+TTS -> TTS: "authenticate + authorize requester"
+TTS -> Svc0: "issue the Txn-Token" {style.stroke-dash: 3}
+Svc0 -> Svc1: "request + Txn-Token"
+Svc1 -> Svc2: "forward Txn-Token unchanged"
+Svc2 -> Svc1: "response" {style.stroke-dash: 3}
+Svc1 -> Svc0: "response" {style.stroke-dash: 3}

articles/assets/draft-ietf-oauth-transaction-tokens-deep-dive/diagrams/02-trust-domain-overview.png

@@ -0,0 +1,29 @@
+direction: down
+
+Req: "Receive a Txn-Token Request"
+V1: "Authenticate the workload\n(client auth)" {shape: diamond}
+V2: "Verify subject_token\nsignature and expiry" {shape: diamond}
+V3: "Requested scope <=\nsubject_token scope?" {shape: diamond}
+V4: "Is this workload allowed to get\na Txn-Token for this scope?" {shape: diamond}
+Build: "Build the Txn-Token:\n- sub (unique in Trust Domain)\n- iat = now, exp = short lifetime\n- aud = Trust Domain\n- txn = unique ID\n- req_wl = workload ID\n- rctx from request_context\n- tctx from request_details"
+Sign: "Sign and return\ntoken_type: N_A\nissued_token_type: txn_token" {
+  style.fill: "#c8e6c9"
+  style.stroke: "#2e7d32"
+  style.font-color: "#0a0f25"
+}
+Err: "Error response\n(RFC 6749 Section 5.2)" {
+  style.fill: "#ffcdd2"
+  style.stroke: "#c62828"
+  style.font-color: "#0a0f25"
+}
+
+Req -> V1
+V1 -> Err: "auth fails"
+V1 -> V2: "OK"
+V2 -> Err: "invalid"
+V2 -> V3: "OK"
+V3 -> Err: "scope exceeds"
+V3 -> V4: "OK"
+V4 -> Err: "not allowed"
+V4 -> Build: "OK"
+Build -> Sign