trustbloc / auth Goto Github PK
View Code? Open in Web Editor NEWAuthorization Server
License: Apache License 2.0
Authorization Server
License: Apache License 2.0
just proper request and respnse, but mock the response to be success always,
service must return same identifier when same user login.
Remove the hard-coded sleep time from the docker-compose file while you're at it.
I still believe that RFC6750 mandates the base64-encoding of the access_token in the Authorization
header but after further research into it I've realized that many if not all vendors process the token in plain form (more precisely, in the same format, byte-for-byte, as was delivered in the access token response (RFC6749 section 4.1.4)).
Client components impacted by this change are:
if the token is a JWT then the derived token can simply include a hash of the original + claims with the identity of the key server and resources they are authorized to access. This new token is encrypted for hub-auth.
Initial issuer server with one test handler. makefile targets to start, configure, stop and test Hydra OAuth2 server.
The exit code for the hydra
command invocation is not checked, therefore the hydra configuration script always succeeds whether the command failed or not.
To aid troubleshooing, we should check the exit code and fail properly.
During the /login
flow, need to ensure the relying party wallet has been registered.
part of #49
Add a /login
endpoint to handle Hydra's login request challenge.
Followup to PR #57 .
We need a new store for the user's devices. The user's devices are not part of their bootstrap data.
When a user logs in using their device ("wallet unlock"), the user's device info will serve to locate the user's bootstrap profile, which will be served back to the wallet.
Could not be added at this time because Hydra is not set up in the BDD tests.
Similar to trustbloc/wallet#388
hub-auth should onboard the user at the key server and the SDS
hub-auth should just provide the user with the URLs of hub-kms and edv. It must NOT register the user at any of those two because the registrant needs to prove control of keys, and hub-auth cannot do that on behalf of the wallet.
Instead of starting the one oidc client , this api will provide the crud operation to create the multiple oidc clients .. like google . apple, twitter etc
We need OIDC client credentials for Google's/Apple's/Microsoft's/GitHub's authentication service that we can use to login the user.
resource | type | sensitive? | served? | usage |
---|---|---|---|---|
key server URLs | list of URLs | no | yes | edge-agent Vue.js sets up key stores, then initializes wallet |
sds server URLs | list of URLs | no | yes | edge-agent Vue.js sets up vaults, then initializes wallet |
keyStoreIDs | list of IDs | yes | yes | edge-agent aries-framework-go KMS |
SDS vault IDs | list of IDs | yes | yes | edge-agent aries-framework-go storage |
user devices info | list of tuples {AAGUID publicKey, x509_cert} | yes | no | when unlocking: validate if device is registered and to which user before giving access to bootstrap resources (primary key is wiped from devices when locked, needs to be fetched from network) |
locations of user primary key shares | list of SDS locations of the user's primary key shares (split w/SSS) | yes | yes | a) when unlocking: edge-agent Vue.js needs location + authZ to fetch those shares; b) key server needs locations + authZ to fetch those shares to unlock the user's key store and do crypto operations |
authorized wallet callback URIs | list of URIs | no | no | configuration: helps restrict processing of authZ requests to authorized wallets |
/oauth2/request
endpoint and redirectshandleOIDCCallback()
should accept login request at hydra and redirect back to hydrasub
to locate the user's bootstrap dataIf the cert/key path are not passed to the container, it intermittently fails without a clear cause. Breaks the expectation of the cert/key parameters being optional.
Error: open : no such file or directory
Implement a configurable policy for access_token TTLs.
Register the endpoints+handlers in the router in start.go
PR #37 is adding the UI stuff but not actually serving it.
This is a followup for task #19 : need to redirect the user to the UI endpoint when finished handling the OIDC callback. The redirectURL should contain a handle of some sort that can be used by the UI to fetch the user's bootstrap info and offer it to the wallet via CHAPI.
(ie. use a different client_id, etc.)
There are different lifetime and maintenance expectations on transient stores than on regular stores.
Hub-auth will act as oidc provider as well where the client like kms will registerr the application
Before using hub-auth with your application, you must register your application with the service. This is done through a registration form in the “developer” or “API” portion of the service’s website, where you will provide the following information (and probably details about your application):
Application Name
Application Website
Redirect URI or Callback URL
Once your application is registered, the service will issue “client credentials” in the form of a client identifier and a client secret.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.