trustbloc / auth Goto Github PK

service must return same identifier when same user login.

• Service must return the same identifier for the user/client combination. The user's identifier remains stable for each client but is different among clients.
• Service successfully authenticates user to a client only for as long as the user has consented to it (or is it of one time use?)

Could not be added at this time because Hydra is not set up in the BDD tests.

PR #37 is adding the UI stuff but not actually serving it.

This is a followup for task #19 : need to redirect the user to the UI endpoint when finished handling the OIDC callback. The redirectURL should contain a handle of some sort that can be used by the UI to fetch the user's bootstrap info and offer it to the wallet via CHAPI.

(ie. use a different client_id, etc.)

During the /login flow, need to ensure the relying party wallet has been registered.

https://wiki.securekey.com/display/BLOC/Authentication+server+-+Open+ID+Design

just proper request and respnse, but mock the response to be success always,

• go.mod
  • root
  • cmd/auth-rest
  • test/bdd
• README
• golangci-lint 1.31.0

1. Handle the login request
   • id token the sub inside the token should be stable per client id atleast
2. Handle the callback

The exit code for the hydra command invocation is not checked, therefore the hydra configuration script always succeeds whether the command failed or not.

To aid troubleshooing, we should check the exit code and fail properly.

If the cert/key path are not passed to the container, it intermittently fails without a clear cause. Breaks the expectation of the cert/key parameters being optional.

Error: open : no such file or directory

Similar to trustbloc/wallet#388

Hub-auth will act as oidc provider as well where the client like kms will registerr the application
Before using hub-auth with your application, you must register your application with the service. This is done through a registration form in the “developer” or “API” portion of the service’s website, where you will provide the following information (and probably details about your application):

Application Name
Application Website
Redirect URI or Callback URL

Once your application is registered, the service will issue “client credentials” in the form of a client identifier and a client secret.

I still believe that RFC6750 mandates the base64-encoding of the access_token in the Authorization header but after further research into it I've realized that many if not all vendors process the token in plain form (more precisely, in the same format, byte-for-byte, as was delivered in the access token response (RFC6749 section 4.1.4)).

Client components impacted by this change are:

• hub-kms
• edge-agent

https://github.com/trustbloc/hub-auth/blob/413a3517d5d5a373780c7f55d7f866456db5a31a/pkg/restapi/operation/operations.go#L806-L833

Instead of starting the one oidc client , this api will provide the crud operation to create the multiple oidc clients .. like google . apple, twitter etc

Followup to PR #57 .

We need a new store for the user's devices. The user's devices are not part of their bootstrap data.

When a user logs in using their device ("wallet unlock"), the user's device info will serve to locate the user's bootstrap profile, which will be served back to the wallet.

Implement a configurable policy for access_token TTLs.

1. Handle the login request
   • id token the sub inside the token should be stable per client id atleast
2. Handle the callback

part of #49

Add a /login endpoint to handle Hydra's login request challenge.

hub-auth resources

Breakdown

https://github.com/trustbloc/hub-auth/blob/7f0bdbb80f0887a134a753355a02b96ebe52e116/pkg/restapi/operation/operations.go#L160-L163

There are different lifetime and maintenance expectations on transient stores than on regular stores.

Remove the hard-coded sleep time from the docker-compose file while you're at it.

Initial issuer server with one test handler. makefile targets to start, configure, stop and test Hydra OAuth2 server.

Register the endpoints+handlers in the router in start.go

• Create the provider identifier
• Pass the identifier and create the redirect Call back URL
• send back the call back url to the provider button action button.

• Add Create OIDC Request
• Add Handle Call Back request

We need OIDC client credentials for Google's/Apple's/Microsoft's/GitHub's authentication service that we can use to login the user.

1. Handle the login request
   • id token the sub inside the token should be stable per client id atleast
2. Handle the callback

if the token is a JWT then the derived token can simply include a hash of the original + claims with the identity of the key server and resources they are authorized to access. This new token is encrypted for hub-auth.

hub-auth should onboard the user at the key server and the SDS

hub-auth should just provide the user with the URLs of hub-kms and edv. It must NOT register the user at any of those two because the registrant needs to prove control of keys, and hub-auth cannot do that on behalf of the wallet.