EC-SEAL / interface-specs

Open API specifications
1 stars 4 forks source link

feature: Request attributes from the SSI Wallet for multiple sources e.g. eIDAS, eduGAIN etc #7

Open ross-little opened 3 years ago

ross-little commented 3 years ago

Feature Request

Request attribute claims for multiple sources from the RM to the SSI Wallet It is needed to request multiple claims from multiple issuers e.g. eIDAS, eMRTD, eduGAIN from the RM to the SSI Wallet and it is supposed to use the /is/query with apRequest & apMetadata but this was supposing that there was one issuer of the data. So the dsResonse & dsMetada received in the call back to the RM pertain to one source. The attribute set received in the dsResponse also only contain one issuer and associated LoA etc for that one issuer.

Side issue A related issue is that there can be requested of attribute claims with the same name and it is not known which source that is requested e.g. family_name may be obtained from eMRTD or eIDAS so we need to determine how best we indicate the source that is requested, if a specific source such as eIDAS is requested

Describe Preferred Solution

  1. To request attributes from the SSI Wallet It seems we need a new new type of request API e.g ssiRequest to the SSI module with the attributes returned to the RM in the dataStore.

  2. To specify the exact claim source it must also either be clearly stipulated in the requested trust framework context in the ssiRequest e.g. context: @eidas or explicityly specify the uri of the claim e.g. http:seal.eidas.claims/family_name

@faragom @endimion @rcc-atos @mvj66 Ideas?

faragom commented 3 years ago

I believe we are mixing concepts: all attributes in all profiles always have globally unique names, which are different from the friendlyNames we use for convenience.

We want to be able to request attributes from multiple sources. This is important, because source is not equal to profile (two sources could serve attributes from the same profile, and a source could serve attributes from more than one profile).

Next, the mention to the SSI module requires us to settle another definition: SSI module acts in some way as an aggregator of sources, so we need to differentiate source (where the attributes come from), from module (where the RM sends the request).

So now that we have settled the terms, my guess is that we want (correct me if I'm wrong):

The RM to be able to request a module attributes from different sources, assuming that the sources only deliver attributes from one profile

If we don't make the last assumption, we need as well to differentiate the profiles, so 3 dimensions: attribute x profile x source. This would require us to use to the proper names of the attributes instead of the friendy names. I would avoid this for now, but the chance is always there.

So, we need to identify 2 things:

  1. The module to query
  2. Which source does every attribute belong to

For the 1st point, we already have spRequestSource parameter, so we are done

For the 2nd point, I propose scoping the request attributes. This way we dont need to implement anything new, nor do any heavy changes. So when requesting attributes, instead of this:

schacHomeOrganization
GivenName
mail
PersonIdentifier

we write this on the name/friendlyName fields of the request:

schacHomeOrganization@EduGAIN
GivenName@eIDAS
mail@EduGAIN
PersonIdentifier@eIDAS

The other option would be to extend the attributeType object (spec) and include a scoping field, to include this information, but this will require changing pretty much code, and I would not recommend that now.

Also, as a comment for further work, this scoping to describe the source could be generalised to a syntax to search specific datasets or categories, which is something we've already discussed in other issues.

endimion commented 3 years ago

Ok, so if I get this right...

The proposition is to add @resource-source to the spRequest? Then it is easy for the new module to request the appropriate VCs to satisfy this request.

Sounds good to me :)

ross-little commented 3 years ago

Ok so this could work in the request for providing the scoping context to specify the attributes friendlyName source. Should this be handled by updates in the configuration of the attribute friendly names in the configuration files or should be coded into the RM and identity source modules to check for the scoping @ context?

Also, for the response, the metadata such as eIDAS LoA and issuer information would be lost as only the requested claims would be returned, if the response is returned in the attributeSet (as the attributeSet only supports this information for one source). Perhaps then it could be better to consider a solution that returns the requested claims and metadata from multiple identity sources in the dataStore?

faragom commented 3 years ago

Should this be handled by updates in the configuration of the attribute friendly names in the configuration files or should be coded into the RM and identity source modules to check for the scoping @ context?

I would do it on the RM, dynamically, because doing it by config would be unmanageable, and cause more errors in the end. Also, in the future, the RM might have specific UI to allow multi-source selection. Also, the consent form can be more friendly (instead of showing the attribute@source, maybe show somehting like "attribute (from source)" )

Also, for the response, the metadata such as eIDAS LoA and issuer information would be lost as only the requested claims would be returned, if the response is returned in the attributeSet (as the attributeSet only supports this information for one source).

Well, the response object supports multiple attributeSet objects, if you remember from ESMO, so you could return it as that. Problem is SAML2Int doesn't, and in the end we lose that info by reducing data to a single assertion, but that is something we cannot solve without losing compliance and resorting to non-standard clients.

Perhaps then it could be better to consider a solution that returns the requested claims and metadata from multiple identity sources in the dataStore?

I'm not completely sure of the use case you are solving here. A SP asks for some data from some source to a SEAL SPms (SAML/OIDC), the source is SSI. The request goes to the RM and then it is sent to the SSI module. The SSI module returns a response, and it goes back to the SP. What's the difference of getting that info in the dataStore if in the end it has to reach the SP? And if the user wants to get data from a VC into the dataStore, he can do it from the dashboard, right?

endimion commented 3 years ago

Hey Paco,

I think we are getting confused here.

So, at the moment to my understanding the design is as follows:

What is missing is the point of how to write to the session the results. So, the issue is how do you believe it best fits the rest of the architecture to write this response.

ross-little commented 3 years ago

Well, the response object supports multiple attributeSet objects, if you remember from ESMO, so you could return it as that. Problem is SAML2Int doesn't, and in the end we lose that info by reducing data to a single assertion, but that is something we cannot solve without losing compliance and resorting to non-standard clients.

The response object to the RM is the dsResponse and only supports one attributeSet from one data source unfortunately. It is the spResponse that supports an array of attributeSets. Thus I think it is better to do this in a similar way to what is done today for the query to a user's PDS i.e. have a separate api to query the SSI Wallet for the claims (this could be included in an attribute Set with friendlyName@source e.g. DateOfBirth@eidas , DateOfBirth@emrtd or new format as you prefer, and the response is returned in the dataStore.

NB this is the verification flow so does not use the dashboard but the RM GUI.

Lets have a quick chat to discuss this...

endimion commented 3 years ago

Ok guys, so any decision on this to close it please :) :) :1st_place_medal: :100:

faragom commented 3 years ago

Hi, sorry, my mail is a chaos lately:

So, at the moment to my understanding the design is as follows:

The SP makes a request to SEAL platform: the request is processed and is stored in session as an AttributeSet with the name idpRequest
The flow gets redirected to this new module (lets call it ssi-idp-ms) using a redirection token (msToken)
The ssi-idp-ms reads the sessionId from the token and retrieves the idpRequest

Correct

Inside the friendly name of the attributes contained by the idpRequest the post-fix @source was added (by the RequestManager?)

By the RM if the selection of attributes i done at the RM, or by the SP on the request, yes.

The ssi-idp-ms module gets the figures out the required VCs by the idpReques and asks the user for them
The ssi-idp-ms reads the VCs validates them etc and has all the required attributes in memory
The ssi-idp-ms writes to the session the results
The ssi-idp-ms generates a token and redirects the flow back to the request manager (/rm/response)

Correct, but not sure what you mean by writes in session. The ssi-idp-ms module must return an attributeSet object in session, not write datasets on the PDS interface.

What is missing is the point of how to write to the session the results. So, the issue is how do you believe it best fits the rest of the architecture to write this response.

It is straightforward: the ssi-idp-ms module has to return an attributeSet object with a list of attributes, so you should write the values there for the scoped attributes that were requested.

The RM will get that response and return it as it does for the eidas-idp, edugain-idp, etc.

The response object to the RM is the dsResponse and only supports one attributeSet from one data source unfortunately. >It is the spResponse that supports an array of attributeSets. Thus I think it is better to do this in a similar way to >what is done today for the query to a user's PDS i.e. have a separate api to query the SSI Wallet for the claims (this >could be included in an attribute Set with friendlyName@source e.g. DateOfBirth@eidas , DateOfBirth@emrtd or new format >as you prefer, and the response is returned in the dataStore.

Yes, I've re-read my answer from the other day and see I messed things up. Sorry

Well, I originally considered PDS as a special case, and the VCs as a common idp module. I proposed this approach because I believe that the ssi-idp-ms can do this stuff, return the attributeSet with the scoped attributes, and have zero impact on the RM, but if you already have the special behaviour implemented for the PDS and you want to establish a specific query api between the RM and the ssi-idp-ms, I'm fine with that as well.

NB this is the verification flow so does not use the dashboard but the RM GUI.

Correct.

Lets have a quick chat to discuss this...

Uops, sorry.

ross-little commented 3 years ago

Please see my comments below:

Inside the friendly name of the attributes contained by the idpRequest the post-fix @source was added (by the RequestManager?)

As a friendly name could be requested by the SP over OIDC and there exist the possibility of coincidences on friendly name what about just using OIDC scopes in the OIDC SP (e.g. eIDAS, eMRTD, eduGAIN) and when the SPms receives such a request for these scopes it translates it to the full name attributes in the attribute set of the apRequest in the /is/query/ API?

Thus we process the request in the RM the same was as now and when the /is/query arrives for the SSI module it knows exactly the claims to request to the SSI Wallet.

So to limit new design we can then just agree to send the request in the /is/query/ With short and full attribute names as indicated in the apRequest attributeSet.

The RM will remember that it sent this request to the SSI Agent and expect the result in the data store.

So we go ahead with this for now anyway and Nikos can return the result in the data store.

And still to clarify if @.*** is needed or can be handled in SP ms as indicated above?

Cheers //Ross

From: faragom @.> Sent: 16 March 2021 11:45 To: EC-SEAL/interface-specs @.> Cc: Little Armitt, Ross @.>; Author @.> Subject: Re: [EC-SEAL/interface-specs] feature: Request attributes from the SSI Wallet for multiple sources e.g. eIDAS, eduGAIN etc (#7)

Caution! External email. Do not open attachments or click links, unless this email comes from a known sender and you know the content is safe.

Hi, sorry, my mail is a chaos lately:

So, at the moment to my understanding the design is as follows:

The SP makes a request to SEAL platform: the request is processed and is stored in session as an AttributeSet with the name idpRequest

The flow gets redirected to this new module (lets call it ssi-idp-ms) using a redirection token (msToken)

The ssi-idp-ms reads the sessionId from the token and retrieves the idpRequest

Correct

Inside the friendly name of the attributes contained by the idpRequest the post-fix @source was added (by the RequestManager?)

By the RM if the selection of attributes i done at the RM, or by the SP on the request, yes.

The ssi-idp-ms module gets the figures out the required VCs by the idpReques and asks the user for them

The ssi-idp-ms reads the VCs validates them etc and has all the required attributes in memory

The ssi-idp-ms writes to the session the results

The ssi-idp-ms generates a token and redirects the flow back to the request manager (/rm/response)

Correct, but not sure what you mean by writes in session. The ssi-idp-ms module must return an attributeSet object in session, not write datasets on the PDS interface.

What is missing is the point of how to write to the session the results. So, the issue is how do you believe it best fits the rest of the architecture to write this response.

It is straightforward: the ssi-idp-ms module has to return an attributeSet object with a list of attributes, so you should write the values there for the scoped attributes that were requested.

The RM will get that response and return it as it does for the eidas-idp, edugain-idp, etc.

The response object to the RM is the dsResponse and only supports one attributeSet from one data source unfortunately. >It is the spResponse that supports an array of attributeSets. Thus I think it is better to do this in a similar way to >what is done today for the query to a user's PDS i.e. have a separate api to query the SSI Wallet for the claims (this >could be included in an attribute Set with @. e.g. @. , @.*** or new format >as you prefer, and the response is returned in the dataStore.

Yes, I've re-read my answer from the other day and see I messed things up. Sorry

Well, I originally considered PDS as a special case, and the VCs as a common idp module. I proposed this approach because I believe that the ssi-idp-ms can do this stuff, return the attributeSet with the scoped attributes, and have zero impact on the RM, but if you already have the special behaviour implemented for the PDS and you want to establish a specific query api between the RM and the ssi-idp-ms, I'm fine with that as well.

NB this is the verification flow so does not use the dashboard but the RM GUI.

Correct.

Lets have a quick chat to discuss this...

Uops, sorry.

- You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FEC-SEAL%2Finterface-specs%2Fissues%2F7%23issuecomment-800151439&data=04%7C01%7Cross.little%40atos.net%7Cfe2fcba3111c444f49fc08d8e868adfc%7C33440fc6b7c7412cbb730e70b0198d5a%7C0%7C0%7C637514883613821409%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=33DGoROY38YDYQunSxTxVMhQGdt7WKVyE89rPjNBLxw%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFIYVNHVDGC3AU5KUIYKDU3TD4ZCZANCNFSM4XYIGH6Q&data=04%7C01%7Cross.little%40atos.net%7Cfe2fcba3111c444f49fc08d8e868adfc%7C33440fc6b7c7412cbb730e70b0198d5a%7C0%7C0%7C637514883613831407%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pjXVVP6e2c9NgGAOBU0Fbd%2BF6d6YAbzr2cE1%2F4q6eg0%3D&reserved=0.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.

Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional. Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes. Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.

faragom commented 3 years ago

You answered the e-mail directly inline and I can't identify your comments. Could you write them in a clear way? if you want to cite any part of the former responses, please, use the markdown syntax for clarity

ross-little commented 3 years ago

ok I thought it would appear. Here is the follow-up to implement the solution as below:

As a friendly name could be requested by the SP over OIDC and there exist the possibility of coincidences on friendly name what about just using OIDC scopes in the OIDC SP (e.g. eIDAS, eMRTD, eduGAIN) and when the SPms receives such a request for these scopes it translates it to the full name attributes in the attribute set of the apRequest in the /is/query/ API?

Thus we process the request in the RM the same was as now and when the /is/query arrives for the SSI module it knows exactly the claims to request to the SSI Wallet.

So to limit new design we can then just agree to send the request in the /is/query/ With short and full attribute names as indicated in the apRequest attributeSet.

The RM will remember that it sent this request to the SSI Agent and expect the result in the data store.

So we go ahead with this for now anyway and Nikos can return the result in the data store.

And still to clarify if friendlyname@profile is needed or can be handled in SP ms as indicated above?

faragom commented 3 years ago

As a friendly name could be requested by the SP over OIDC and there exist the possibility of coincidences on friendly name what about just using OIDC scopes in the OIDC SP (e.g. eIDAS, eMRTD, eduGAIN) and when the SPms receives such a request for these scopes it translates it to the full name attributes in the attribute set of the apRequest in the /is/query/ API?

Well, the strategy depends on your needs. Requesting scopes (as properly understood by OIDC) allows you requesting blocks of attributes, but not individual ones.

At the OIDC microservice, to determine the source and the endpoint, I created specifric claims and set up a processing syntax over it, to have a variable part. This way, an OIDC RP can send these scopes on the request:

sealprojectsrc:eIDAS   sealprojectep:query

And the OIDCms will know the RP wants to do a query and not an authentication, and that it wants to quetry the eIDAS source.

We can use the same approach if we want to request scoped attributes. Right now, the OIDCms defines a scope per each available attribute, and the RP can set them on the request and they will be translated to an attribute on the request to the RM. We can add this variable part and transmit it to the RM. IUt will be quite easy, as I parametrised the attribute mappings. I can do it in two ways: either by adding all attribute@scope possibilities to the mappings, or by explicitly processing the string to remove the @scope part before dealing with the attribute, and adding it later when translated.

So the possibilities are these. First you need to take the decission of using proper-scopes or doing this.

Thus we process the request in the RM the same was as now and when the /is/query arrives for the SSI module it knows exactly the claims to request to the SSI Wallet.

I don't think it solves the problem properly, and I don't see how it is less complex than the other solution. You will be asking more attributes than originally intended, because you will request the whole scope, and you still need to translate the scope name to the list of attributes (and knowing the source for each one of them). but anyway, we can do it as that if you want.

So to limit new design we can then just agree to send the request in the /is/query/ With short and full attribute names as indicated in the apRequest attributeSet.

So, if I understood it, the idea is to define new "attribute" names, which will really be scope names that will be passed to the SSI module, and the SSI module will return all the available attributes on each of the scopes, as dataSets (one per scope), on the data store, right? Ok, if you want to go with that, it's not optimal, but will cause the lesser impact on the code.

The RM will remember that it sent this request to the SSI Agent and expect the result in the data store.

Ok, but how will the RM know which object(s) is/are the result?

So we go ahead with this for now anyway and Nikos can return the result in the data store.

Ok

And still to clarify if friendlyname@profile is needed or can be handled in SP ms as indicated above?

If you want to use specific scope names, we just have to add them at the SAMLms, OIDCms and RMms as a new attribute profile. The interpretation that the SSI module does for that profile does not matter any of the other modules.

So, based on your needs, @endimion , choose "attribute-scope" names (we can use the same unique strings for the friendlyName and for the Name), and pass me the list so I can add them to the SAMLms and OIDCms for them to be acceped