Comments (7)
As per the discussion the plan team agreed upon is.
User agent on page load will be redirected to Hub-Auth. After successful login, there will be did communication to share the bootstrap data.
- Hub-Auth need to have public DID
- Hub-Auth will generate invitation
- Hub-Auth will send the invitation to user-agent via redirect URI
- Then DID Comm connection will begin using messaging protocol.
from auth.
@talwinder50 @sudeshrshetty @DRK3
Based on today's call:
from auth.
@llorllale @talwinder50
You don't have to call CHAPI to send user bootstrap info. Remember, CHAPI registration happens after successful login.
Webwallet registration already has api to save user metadata (refer wallet-metadata
store in jsindexdb).
Currently, we are saving username, user DID, invitation & signature type. You just have to add more fields in already existing wallet user metadata.
https://github.com/trustbloc/edge-agent/blob/master/cmd/user-agent/src/pages/chapi/Login.vue#L83
from auth.
@sudeshrshetty @talwinder50 we need to talk about this then because this flow will change anyhow.
In the long run: hub-auth and edge-agent should exchange key material (DIDs) to create a secure authenticated channel. hub-auth can push updates through this channel, and offer services the user may also use
In the short run: edge-agent should register key material (DID) in hub-auth. With this, the user does not have to be redirected to hub-auth whenever they need to authenticate to other components (eg. adapters)
from auth.
@sudeshrshetty @talwinder50 @aholovko as we discussed, here's my proposal in rough form. Please weigh in to see if it looks like it's going in the right direction:
Proposal: hub-auth sends bootstrap data to the wallet via CHAPI
Goals:
- Authenticate the user using an external OIDC provider
- User SSO
- Adapters (and other components?) do not redirect the user (again) during the login phase
Assumptions:
- User will be authenticating to the adapters much more frequently than to hub-auth
- The wallet is already registered as a CHAPI Credential Handler in the user's browser
Flow (1st time login):
- User navigates to
wallet domain
and clicks onLogin
- Redirect to hub-auth
- hub-auth redirects to OIDC provider
- OIDC provider authenticates user
- User redirected back to hub-auth
- hub-auth onboards user in network
- hub-auth sets up bootstrap data
- hub-auth creates a CHAPI request with bootstrap data
- hub-auth invokes
navigator.credentials.get({bootstrap data})
- edge-agent stores bootstrap data
- edge-agent creates new key pair (did:key?)
- edge-agent responds (CHAPI) with pub key
- hub-auth verifies everything is OK
- (Optional) redirect user back to
wallet domain
Key features:
- Wallet registers a key with hub-auth, which means the user doesn't need to be redirected anywhere when authenticating to the Adapters
from auth.
from auth.
@llorllale here are the points I am concerned with.
- we shouldn't register CHAPI before login. It will initialize polyfill handler in browser and user can launch CHAPI window without login (even after failed login). In current basic implementation we have, polyfill handler gets registered/unregistered during login/logout, I propose we should stick to that.
- hub auth request with bootstrap data should be generic, we shouldn't send bootstrap data through CHAPI (also, we can't send CHAPI request if wallet is not registered).
We have 'webwallet JS API' in place to handle user registration/login, we can resuse/modify that to handle user bootstrap data without involving CHAPI.
Reasons:- CHAPI is just an iframe handler by polyfill handler JS API, it is as secured as user agent login page.
- CHAPI request (store call in your case), should have data only in presentation format (means, CHAPI request for store() should only be in presentation format). We shouldn't send arbitrary data to CHAPI.
- CHAPI when launched transits to thirdparty domain even if they are local (like authn.io, which may not be safe for sensitive data like user bootstrap data)
- Bad User Experience: for simple login we have to go through 3 popups/pages
- wallet registration popup
- login page
- wallet selection popup + showing some UI for bootstrap data in CHAPI window + accept it
@troyronda @rolsonquadras @fqutishat ^^
from auth.
Related Issues (20)
- GNAP auth server nonces and validation
- [gnap] OIDC Provider list and handle callback
- OIDC Integration into GNAP flow HOT 2
- GNAP validation exception tests
- [gnap] RS go-client - verify client request
- [gnap] support additional key types for httpsig
- [gnap] access policy config option to only allow TokenAccess references
- [gnap] update http-signature support to latest version of http-signature spec HOT 1
- [gnap] minimal JS client HOT 1
- [gnap] Missing transaction id in while doing gnap sign up login
- failed to complete GNAP interaction : loading txn data: data not found
- [gnap] return subject data in auth response
- [gnap] return tokens if they were already allowed HOT 1
- Pass txnID in query when redirecting between sign in/sign up pages
- [gnap] missing callback url in oidc authorization call
- [GNAP] Return current bootstrap data in auth response ID token
- Remove obsolete OIDC functionality/enhancements
- Remove OIDC server related endpoints
- Add arm64 alternative to frapsoft/openssl
- arm64 server Docker image
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth.