Open jonathan-consensysHealth opened 4 years ago
related to #142
yes, although first there is authentication, then exchange of verifiable credentials, then authorization, then perform additional actions such as store a release of information as a signed payload, which could be a verifiable credential. I'll try to include the flow diagrams soon to flush it all out.
I as an end-user can authenticate to the KONG API using a cryptographically signed payload.
present QR code to end-user
End user scans QR code and consume the content, parse the openID: section for nounce and callback.
End user signs the nounce
End user device send signed nounce to callback.
KONG api, received the signed challenge ( nounce )
KONG api parses the JWT,
KONG API fetched the public key associated with the KID in JWT.
KONG API and validates the signature.
KONG API creates a token ( i.e. Bearer token) and stores this in DB including TTL and this is sharable with all backend
additional steps would be to request additional verifiable credential or claims to identify the end-user ( ie. Verifiable credentials for name, and why they should should access. )