-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added examples for 3 Authz request options #218
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor nit, but overall, looks good to me, thank you!
it is an editorial PR, so no need for 4 >= approvals :)
authorization request defined in rfc9101 Co-authored-by: Kristina <[email protected]>
Thanks @Sakurann ! |
response_type=vp_token | ||
&client_id=https%3A%2F%2Fclient.example.org%2Fcb | ||
&request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR0cHM6Ly9zZWxmLWlzc3VlZC5tZS92MiIsInJlc3BvbnNlX3R5cGUiOiJ2cF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiOiJodHRwcy8vY2xpZW50LmV4YW1wbGUub3JnL2NiIiwic2NvcGUiOiJvcGVuaWQiLCJwcmVzZW50YXRpb25fZGVmaW5pdGlvbiI6eyJpZCI6ImV4YW1wbGVfand0X3ZjIiwiaW5wdXRfZGVzY3JpcHRvcnMiOlt7ImlkIjoiaWRfY3JlZGVudGlhbCIsImZvcm1hdCI6eyJqd3RfdmNfanNvbiI6eyJwcm9vZl90eXBlIjpbIkpzb25XZWJTaWduYXR1cmUyMDIwIl19fSwiY29uc3RyYWludHMiOnsiZmllbGRzIjpbeyJwYXRoIjpbIiQudmMudHlwZSJdLCJmaWx0ZXIiOnsidHlwZSI6ImFycmF5IiwiY29udGFpbnMiOnsiY29uc3QiOiJJRENyZWRlbnRpYWwifX19XX19XX0sIm5vbmNlIjoibi0wUzZfV3pBMk1qIn0.m1KYXT4r5Pj7Jh8gUlngpvjUoEZnOcbL8lXuDxbLbQyhLG9mro9EpT3I4YOm25tnxFx2mrKb42dFPxXOwLO5NbBmoYmY8wxH85H98RtpPGaTwCD6duxbp4eZm6LO-fdxpSvjzCAKoU3kzloh1Q1ijkP_ZQgwmS-uQba9qpu61hMjF6KIIjz59sJHpZOI0cEz4LqrLwXXIht0hyZXdE_vJIBEwfafoLZgggF9adNGUQnE3dXLi_is6XrDk7BS0VZds6IaNTVlIlS5NfHg6Lp1IpbiFta_6CWrFxtC1QoCIrhIzbJgnF4GRboy0SfYRXD8Vt8qbPzLIeUvE-LyObGN5g |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency with other examples we should use two space indents here:
response_type=vp_token | |
&client_id=https%3A%2F%2Fclient.example.org%2Fcb | |
&request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR0cHM6Ly9zZWxmLWlzc3VlZC5tZS92MiIsInJlc3BvbnNlX3R5cGUiOiJ2cF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiOiJodHRwcy8vY2xpZW50LmV4YW1wbGUub3JnL2NiIiwic2NvcGUiOiJvcGVuaWQiLCJwcmVzZW50YXRpb25fZGVmaW5pdGlvbiI6eyJpZCI6ImV4YW1wbGVfand0X3ZjIiwiaW5wdXRfZGVzY3JpcHRvcnMiOlt7ImlkIjoiaWRfY3JlZGVudGlhbCIsImZvcm1hdCI6eyJqd3RfdmNfanNvbiI6eyJwcm9vZl90eXBlIjpbIkpzb25XZWJTaWduYXR1cmUyMDIwIl19fSwiY29uc3RyYWludHMiOnsiZmllbGRzIjpbeyJwYXRoIjpbIiQudmMudHlwZSJdLCJmaWx0ZXIiOnsidHlwZSI6ImFycmF5IiwiY29udGFpbnMiOnsiY29uc3QiOiJJRENyZWRlbnRpYWwifX19XX19XX0sIm5vbmNlIjoibi0wUzZfV3pBMk1qIn0.m1KYXT4r5Pj7Jh8gUlngpvjUoEZnOcbL8lXuDxbLbQyhLG9mro9EpT3I4YOm25tnxFx2mrKb42dFPxXOwLO5NbBmoYmY8wxH85H98RtpPGaTwCD6duxbp4eZm6LO-fdxpSvjzCAKoU3kzloh1Q1ijkP_ZQgwmS-uQba9qpu61hMjF6KIIjz59sJHpZOI0cEz4LqrLwXXIht0hyZXdE_vJIBEwfafoLZgggF9adNGUQnE3dXLi_is6XrDk7BS0VZds6IaNTVlIlS5NfHg6Lp1IpbiFta_6CWrFxtC1QoCIrhIzbJgnF4GRboy0SfYRXD8Vt8qbPzLIeUvE-LyObGN5g | |
response_type=vp_token | |
&client_id=https%3A%2F%2Fclient.example.org%2Fcb | |
&request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR0cHM6Ly9zZWxmLWlzc3VlZC5tZS92MiIsInJlc3BvbnNlX3R5cGUiOiJ2cF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiOiJodHRwcy8vY2xpZW50LmV4YW1wbGUub3JnL2NiIiwic2NvcGUiOiJvcGVuaWQiLCJwcmVzZW50YXRpb25fZGVmaW5pdGlvbiI6eyJpZCI6ImV4YW1wbGVfand0X3ZjIiwiaW5wdXRfZGVzY3JpcHRvcnMiOlt7ImlkIjoiaWRfY3JlZGVudGlhbCIsImZvcm1hdCI6eyJqd3RfdmNfanNvbiI6eyJwcm9vZl90eXBlIjpbIkpzb25XZWJTaWduYXR1cmUyMDIwIl19fSwiY29uc3RyYWludHMiOnsiZmllbGRzIjpbeyJwYXRoIjpbIiQudmMudHlwZSJdLCJmaWx0ZXIiOnsidHlwZSI6ImFycmF5IiwiY29udGFpbnMiOnsiY29uc3QiOiJJRENyZWRlbnRpYWwifX19XX19XX0sIm5vbmNlIjoibi0wUzZfV3pBMk1qIn0.m1KYXT4r5Pj7Jh8gUlngpvjUoEZnOcbL8lXuDxbLbQyhLG9mro9EpT3I4YOm25tnxFx2mrKb42dFPxXOwLO5NbBmoYmY8wxH85H98RtpPGaTwCD6duxbp4eZm6LO-fdxpSvjzCAKoU3kzloh1Q1ijkP_ZQgwmS-uQba9qpu61hMjF6KIIjz59sJHpZOI0cEz4LqrLwXXIht0hyZXdE_vJIBEwfafoLZgggF9adNGUQnE3dXLi_is6XrDk7BS0VZds6IaNTVlIlS5NfHg6Lp1IpbiFta_6CWrFxtC1QoCIrhIzbJgnF4GRboy0SfYRXD8Vt8qbPzLIeUvE-LyObGN5g |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch!
"nonce": "n-0S6_WzA2Mj" | ||
} | ||
``` | ||
With these keys: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's only one key, so "keys" is wrong. Suggest a slightly more verbose wording too:
With these keys: | |
The example request object above is signed with this key: |
``` | ||
GET /authorize? | ||
client_id=client.example.org | ||
response_type=vp_token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
response_type isn't legal here as I mentioned here: #78 (comment)
response_type=vp_token |
``` | ||
GET /authorize? | ||
client_id=client.example.org | ||
response_type=vp_token | ||
&client_id=https%3A%2F%2Fclient.example.org%2Fcb | ||
&client_id_scheme=x509_san_dns | ||
&client_metadata=... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
client_metadata
also isn't legal here (see link in previous comment)
&client_id_scheme=x509_san_dns | ||
&client_metadata=... | ||
&request_uri=https%3A%2F%2Fclient.example.org%2Frequest%2Fvapof4ql2i7m41m68uep | ||
&request_uri_method=post HTTP/1.1 | ||
``` | ||
And, later use the `request_uri` for the below request: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is what is meant?
And, later use the `request_uri` for the below request: | |
And, later the wallet might send the following non-normative example request to the `request_uri`: |
&client_id_scheme=x509_san_dns | ||
&client_metadata=... | ||
&request_uri=https%3A%2F%2Fclient.example.org%2Frequest%2Fvapof4ql2i7m41m68uep | ||
&request_uri_method=post HTTP/1.1 | ||
``` | ||
And, later use the `request_uri` for the below request: | ||
``` | ||
POST /request HTTP/1.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To match the above example it needs the full path that was passed in request_uri parameter:
POST /request HTTP/1.1 | |
POST /request/vapof4ql2i7m41m68uep HTTP/1.1 |
"response_type": "vp_token", | ||
"client_id": "s6BhdRkqt3", | ||
"redirect_uri": "https//client.example.org/cb", | ||
"scope": "openid", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd have probably preferred if all three examples showed the same request so that we were just highlighting the differences of the 3 formats (e.g. this request has scope=openid
and the above one doesn't) but I don't feel strongly about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! Agreed!
Formatting space Co-authored-by: Joseph Heenan <[email protected]>
``` | ||
{ | ||
"kty":"RSA", | ||
"kid":"k2bdc", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this key sure does bring back some memories, thanks for that, but this is not really consistent with how examples are provided in the rest of this document, is it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to use existing key
{
"kty": "EC",
"crv": "P-256",
"x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y": "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"use": "enc",
"kid": "1",
"alg": "PS256"
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wait, what, the encryption key from one of the examples in the W3C Digital Credentials API section? that doesn't seem good. and where did you find the private key? so many questions...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wow the private key is apparently here https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.2 which is fun
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but maybe that's not even relevant
sorry
i am genuinely confused
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and by confused #218 (comment) i mean I don't understand what's going on here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your review and I hope to learn!
I found the key in this repo https://github.com/openid/OpenID4VP/blob/main/examples/digital_credentials_api/signed_request_payload.json#L19 and the draft https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html
you are right it is the same one as in that doc in section A1 https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.1 and A.2 section has the private key.
Lmk, if I should use a different key as its private key is readily available? Or do I need to create a new key pair and mention them in the doc? or something else?
Happy to get feedback and incorporate changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea of providing the key in a spec to allow for verification of examples is nice. But I don't think that's something that's been done much or at all in the 4VC family of documents. So doing it here is kind of out of place. And there are already plenty of opportunities for that in PAR, JAR, JWT, etc so it's arguably not necessary or even particularly useful to do here.
It's pretty well accepted that using the same key pair for both singing and encryption is a bad and potentially dangerous thing. So we should avoid doing anything that looks like it's condoning or encouraging the practice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the guidance! That makes sense!
I have removed the key and shortened the jwt to be eyJrd...
as no key is specified.
Let me know if this looks good.
``` | ||
GET /authorize? | ||
response_type=vp_token | ||
&client_id=https%3A%2F%2Fclient.example.org%2Fcb | ||
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb | ||
&presentation_definition=... | ||
&scope=openid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not convinced it's a good idea to add scope=openid here, it makes it not a pure VP request and I think we want to show a basic VP request here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should i remove it from all 3 examples then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think so, yes, please - it's not there in any of the examples currently in the spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
&client_id=https%3A%2F%2Fclient.example.org%2Fcb | ||
&request=eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ik1LQkNUTkljS1VTRGlpMTF5U3MzNTI2aURaOEFpVG83VHU2S1BBcXY3R | ||
DQiLCJ5IjoiNEV0bDZTUlcyWWlMVXJONXZmdlZIdWhwN3g4UHhsdG1XV2xiYk00SUZ5TSIsInVzZSI6ImVuYyIsImtpZCI6IjEiLCJhbGc | ||
iOiJQUzI1NiJ9.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR0cHM6Ly9zZWxmLWlzc3VlZC5tZS92MiIsInJlc3BvbnNlX3R5cGU |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the header of this thing decodes to the following, which isn't ok
{
"kty": "EC",
"crv": "P-256",
"x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y": "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"use": "enc",
"kid": "1",
"alg": "PS256"
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have removed the key and shortened the jwt to be eyJrd... as no key is specified.
Let me know if this looks good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Friday night after IETF week is probably not an ideal time to be reviewing PRs, sorry, but this needs some care and feeding
No problem and thanks for the review. I am happy to nurture it as much as needed with help from reviewers and reiterate until we are at a good spot! |
&request_uri=https%3A%2F%2Fclient.example.org%2Frequest%2Fvapof4ql2i7m41m68uep | ||
&request_uri_method=post HTTP/1.1 | ||
&scope=openid | ||
``` | ||
And, later the wallet might send the following non-normative example request to the `request_uri`: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And, later the wallet might send the following non-normative example request to the `request_uri`: | |
Later, the wallet might send the following non-normative example request to the `request_uri`: |
Appreciate that attitude, thank you! I'm attempting to help as a reviewer but, like all of us, have only limited cycles and have to try and manage where they are applied. |
F.Y.I.
I could not find anything in the example that looked like payment transaction data. |
@cyberphone, how exactly is that comment helping progress this PR? |
@bc-pi Pardon me for disturbing the order. Anyway, the EUIDW payment project currently seems to lack a sequence diagram making transaction request data PRs somewhat less interesting. I haven't found any specification of virtual payment credentials either. In addition, I believe deterministically encoded CBOR would be a better mousetrap than JSON. |
@cyberphone, how exactly does that comment help answer the question about how exactly the previous comment is helping progress this PR? |
@bc-pi Is this PR supposed to cover payment requests as well? If so, I would put it on hold because it doesn't seem to match this use case. See also: https://www.w3.org/TR/payment-request/ |
I commend the relentlessly consistent approach @cyberphone takes here and in many other forums. I apologize to anyone reading these PR comments, and especially folks subscribed and receiving notifications, for my momentary laps of judgement in thinking that engaging in this context could possibly have had a different outcome. |
@@ -1909,7 +1973,6 @@ The following is a non-normative example of a request that combines this specifi | |||
``` | |||
GET /authorize? | |||
response_type=vp_token%20id_token | |||
&scope=openid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This scope=openid
should actually stay, as this section is showing an example of a SIOP request which does require openid
. (openid should still be omitted in the new examples you're adding)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! i wasn't sure about this earlier.
I've made the change.
The following is a non-normative example of Authorization Request with request object as value: | ||
``` | ||
GET /authorize? | ||
response_type=vp_token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
response_type isn't legal here, when request=
is used response_type can only be inside the request object, it should be removed:
response_type=vp_token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! good catch! I've made the change
PR Checkpoints
Summary
I used https://jwt.io/ to create the signed and encoded payload for
request
.Paste the payload in there to decode it and verify the signature
Related Issue(s)
Closes #78
Special notes for your reviewer