Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credential registry authentication #521

Closed
wants to merge 6 commits into from
Closed

Credential registry authentication #521

wants to merge 6 commits into from

Conversation

F-Node-Karlsruhe
Copy link
Contributor

@F-Node-Karlsruhe F-Node-Karlsruhe commented Jun 27, 2023
edited by pr-preview bot
Loading

First draft

Authenticated registry requests shall be performed doing a POST request carrying the authentication. As a first option we chose verifiable presentations (VPs) as the mean authentication. VPs already take over the authentication of the requesting identity by design and are a proven building block of the DID ecosystem. Further they can contain verifiable credentials which may be needed for authentication as well, e.g. GS1LicenceCredentials.

Open questions

Replay attacks

Option 1
Obtain challenge for the VP via an additional endpoint registry/{id}/challenge

Option 2
Add an expirationDate with a short delay to the VP (not intended (?) in the data model but possible with the LinkedDataSignature)

Protocol options

Allow OpenID4VP from the registry side?

  • Registry provides presentation request for each route
  • direct_post route is the route of the subject.id request which is then used to fetch the credentials in an authenticated way

-> Out of scope of OID4VC/little bit of misuse of the protocol
-> privacy issue: the necessary authentication requirements are partially revealed with the presentation request

Preview | Diff

@F-Node-Karlsruhe
Copy link
Contributor Author

OID4VP Draft

Using the authorize endpoint of authorization request of OID4VP using the cross device flow.

For the registry authorization the flow starts at step 2 (2.0 in figure) where wallet of the requesting wallet can query the Request Object containing the presentation definition and nonce/challenge (2.5). The first stop can be skipped, as we define the endpoint where the Requst Object can be fetched under registry{id}/authorize. After creating the requested authorizing presentation it can be send to the response_uri (3) which SHOULD be set to the original registry endpoint registry/{id}.

Till here we strictly followed the OID4VP cross device flow. The only difference comes after the official flow finished. Instead of ending the flow with a 200 response after the presentation was sent to the response_uri via post request, the response_uri answers with 200 and the requested credentials in the response body.

TallTed
TallTed reviewed Aug 2, 2023
View reviewed changes
index.html Outdated Show resolved Hide resolved
@msporny
Copy link
Member

msporny commented Oct 14, 2024

This PR has been a draft for over a year. We don't want to keep PRs open for this long on the repository, which is undergoing some fairly significant restructuring at this point. Please confirm that you still want to pursue this PR @F-Node-Karlsruhe, and if not, please close the PR.

@msporny
Copy link
Member

msporny commented Nov 10, 2024

@F-Node-Karlsruhe second ping to provide feedback on this PR. If we don't get any feedback from you within the next 14 days, we will close this PR.

@F-Node-Karlsruhe
Copy link
Contributor Author

This is far from ready and the funding project terminated last month, so i will close it here myself. Thanks for pinging me :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TallTed TallTed TallTed left review comments

@msporny msporny Awaiting requested review from msporny msporny will be requested when the pull request is marked ready for review msporny is a code owner

@apuchitnis apuchitnis Awaiting requested review from apuchitnis apuchitnis will be requested when the pull request is marked ready for review apuchitnis is a code owner

@stenreijers stenreijers Awaiting requested review from stenreijers stenreijers will be requested when the pull request is marked ready for review stenreijers is a code owner

@gatemezing gatemezing Awaiting requested review from gatemezing gatemezing will be requested when the pull request is marked ready for review gatemezing is a code owner

@adam-burns adam-burns Awaiting requested review from adam-burns adam-burns will be requested when the pull request is marked ready for review adam-burns is a code owner

@Steffytan Steffytan Awaiting requested review from Steffytan Steffytan will be requested when the pull request is marked ready for review Steffytan is a code owner

@MizukiSonoko MizukiSonoko Awaiting requested review from MizukiSonoko MizukiSonoko will be requested when the pull request is marked ready for review MizukiSonoko is a code owner

@rajivrajani rajivrajani Awaiting requested review from rajivrajani rajivrajani will be requested when the pull request is marked ready for review rajivrajani is a code owner

@genaris genaris Awaiting requested review from genaris genaris will be requested when the pull request is marked ready for review genaris is a code owner

@ajile-in ajile-in Awaiting requested review from ajile-in ajile-in will be requested when the pull request is marked ready for review ajile-in is a code owner

@KDean-Dolphin KDean-Dolphin Awaiting requested review from KDean-Dolphin KDean-Dolphin will be requested when the pull request is marked ready for review KDean-Dolphin is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@F-Node-Karlsruhe @msporny @TallTed