Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: OpenID Federation for the verifier <-> holder #27

Closed

Conversation

Tommylans
Copy link
Member

The main branch isn't updated so the pr looks really big. So if we do that it will become more clear.

Not everything is finished yet. But it would be really nice to have this merged quite soon so we can start on the implementation for the wallet.

For the issuance it's a bit more unclear of what's need to happen will do some more investigation quickly.

Also the policies are not merged yet in the openid federation. But is planned but the merge strategy is a bit complex so the main goal was to have the structure working for now

@Tommylans Tommylans force-pushed the feature/openid-federation-verfier branch from 310e1a6 to bcaed4d Compare November 7, 2024 10:35
@Tommylans Tommylans requested a review from TimoGlastra November 7, 2024 10:36
Signed-off-by: Tom Lanser <[email protected]>
Copy link
Member

@TimoGlastra TimoGlastra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's two things I'm missing:

  • actual verification of the JWT to be verified (see comment)
  • the federation metadata taking precedence of the non-federation metadata. Is that still todo? So the client_metadata MUST be ignored when federation is used, and only the federation metadata should be used.

Comment on lines +46 to 49
const openidProvider = await this.getOpenIdProvider(agentContext, {
federation: options.federation,
})

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is ok for now, but was also discussing with NF and i think we probably need to have some more control over 'trusted' entities in Credo.

So extend the x509 callbacks with global 'verificationContext` and you can either provide it to the call, or we use the global static config, or we use the dynamic callback. And you can either provide trusted federations, trusted x509s, or trusted dids / did methods.

(just rambling here 😄 )

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think we should think a bit more about this of what a good structure would be.

Comment on lines 73 to 75
const { key } = await config.keyCallback(agentContext, {
verifierId: verifier.verifierId,
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what this is? Is it the key used for the entity? I think that can just be a key generated by Credo right on the spot? or we should store it in some sort of FederationEntityRecord that we create if it doesn't exist yet?

Comment on lines 92 to 94
const jwk = getJwkFromKey(key)
const alg = jwk.supportedSignatureAlgorithms[0]
const kid = 'key-1'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can an federation put restrictions on which key types are used for signing the entity configurations?

@@ -0,0 +1,9 @@
import type { AgentContext, Key } from '@credo-ts/core'

// TODO: Not really sure about this type yet but it's a start.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see my other comment ,do we really need this callback?

Comment on lines 75 to 76
organization_name: issuerDisplay.organization_name,
logo_uri: issuerDisplay.logo_uri,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

organization_name and logo_uri are different in te issuer display. I think name and logo.uri. I think we can just reuse them instead of requiring duplicate parameters?

packages/openid4vc/src/shared/utils.ts Show resolved Hide resolved
const issuanceBaseUrl = `${baseUrl}/oid4vci`
const verificationBaseUrl = `${baseUrl}/oid4vp`

describe('OpenId4Vc', () => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we also add a negative test (non-trusted federatino)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants