search

WICG / digital-credentials

Digital Credentials, like driver's licenses
https://wicg.github.io/digital-credentials/
Other
82 stars 9 forks source link

parameters not specific to the credential format #7

Closed Sakurann closed 3 months ago

Sakurann commented 1 year ago

in the reconciliation example, nonce is duplicated in mdoc and federated, and readerPublicKey are included only in mdoc. since nonce and probably readerPublicKey should be present in vc too, those parameters should be treated as credential format specific.

So examples for MDocs and FedCM could look like below:

MDocs

// Gets a CBOR with specific fields out of mobile driver's license as an mdoc
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      nonce: "gf69kepV+m5tGxUIsFtLi6pwg=",
      readerPublicKey: "ftl+VEHPB17r2 ... Nioc9QZ7X/6w...",
      mdoc: {
        retention: {
          days: 90,
        },
        documentType: "org.iso.18013.5.1.mDL",
        requestedElements: [
          { namespace: "org.iso.18013.5.1", name: "document_number" },
          { namespace: "org.iso.18013.5.1", name: "portrait" },
          { namespace: "org.iso.18013.5.1", name: "driving_privileges" },
          { namespace: "org.iso.18013.5.1.aamva", name: "organ_donor" },
        ],
      }
    }],
  }
});

FedCM

// Gets a JWT from a OIDC provider. 
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      nonce: "m5tGxUIsFtLi6pwg",
      federated: {
        configURL: "https://university.edu/students",
        clientId: "123"
      }
    }]
  }
});
samuelgoto commented 1 year ago

Ah yeah, good point.

Since you kicked this off, we introduced a params object, which is a grab-bag of key-value pairs that is sent to wallets (and OIDC providers) after selection, which can contain anything that the RP may want to send to the wallet/idp. The intuition is that that's where nonce and readerPublicKey can live, because these aren't things that the browser cares about.

So, for example:

// Gets a CBOR with specific fields out of mobile driver's license as an mdoc
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      holder: {
        selector: {
          retention: {days: 90},
          doctype: "org.iso.18013.5.1.mDL",
          fields: [
            "org.iso.18013.5.1.document_number",
            "org.iso.18013.5.1.portrait",
            "org.iso.18013.5.1.driving_privileges",
            "org.iso.18013.5.1.aamva.organ_donor",
          ],
        },
        params: {
          nonce: "gf69kepV+m5tGxUIsFtLi6pwg=",
          readerPublicKey: "ftl+VEHPB17r2 ... Nioc9QZ7X/6w...",
        }
      }
    }],
  }
});

and 

// Gets a JWT from a OIDC provider. 
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      federated: {
        configURL: "https://university.edu/students",
        clientId: "123",
        params: {
          nonce: "m5tGxUIsFtLi6pwg"
        }
      }
    }]
  }
}

Would that work?

OR13 commented 1 year ago

is nonce the same as WebAuthN challenge? or can nonce be an arbitrary length string (like a JWS or JWE).

are the params always limited to the "holder" concept, or are they values that are not controlled by the holder?

Sakurann commented 3 months ago

closing this one since based it was based on the old proposal and with the new proposal, i believe this issue does not exist anymore