3.2.4.1 Authorization

The DSS provides credentials to the USS to obtain a Cookie from the USS during this step.

The DSS MUST obtain a Cookie from the USS as follows:

1. Compose and transmit a GetAuthConfig message to the USS.

2. Receive a GetAuthConfigResponse from the USS, extract the AuthPlugIn.ServiceUrl, and save it in the Parent USS State Table.

3. Compose a GetAuthorizationCookie message by doing the following:

   1. Copy the Account Name field of the Server Configuration Table to the GetAuthorizationCookie request.

   2. Copy the Account GUID field of the Server Configuration Table to the GetAuthorizationCookie request.

4. Transmit the GetAuthorizationCookie request to the USS and receive a response from the USS.

5. Save the AuthorizationCookie received from GetAuthorizationCookie response into the Parent USS State.

6. Compose a GetCookie message as follows:

   1. Add an entry into the authCookies array of the request message by copying the AuthorizationCookie from the Parent USS State data store.

   2. Initialize the oldCookie element of the request message from the Last Cookie stored in the USS Parent State data store.

   3. Initialize the protocol version to the version being implemented by the DSS.

7. Transmit the GetCookie request to the USS and receive a response from the USS.

8. Save the Cookie returned in the GetCookie response in the Last Cookie field of the USS Parent State data store.

The DSS MUST treat the CookieData field of the AuthorizationCookie and the EncryptedData field of the Cookie as an opaque object. It is to be interpreted by the USS only. The Expiration field of the Cookie indicates whether it is expired. The DSS MUST NOT use an expired Cookie in any method calls in the following sections.