search

WICG / digital-credentials

Digital Credentials, like driver's licenses
https://wicg.github.io/digital-credentials/
Other
66 stars 8 forks source link

parameters not specific to the credential format #7

Open Sakurann opened 1 year ago

Sakurann commented 1 year ago

in the reconciliation example, nonce is duplicated in mdoc and federated, and readerPublicKey are included only in mdoc. since nonce and probably readerPublicKey should be present in vc too, those parameters should be treated as credential format specific.

So examples for MDocs and FedCM could look like below:

MDocs

// Gets a CBOR with specific fields out of mobile driver's license as an mdoc
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      nonce: "gf69kepV+m5tGxUIsFtLi6pwg=",
      readerPublicKey: "ftl+VEHPB17r2 ... Nioc9QZ7X/6w...",
      mdoc: {
        retention: {
          days: 90,
        },
        documentType: "org.iso.18013.5.1.mDL",
        requestedElements: [
          { namespace: "org.iso.18013.5.1", name: "document_number" },
          { namespace: "org.iso.18013.5.1", name: "portrait" },
          { namespace: "org.iso.18013.5.1", name: "driving_privileges" },
          { namespace: "org.iso.18013.5.1.aamva", name: "organ_donor" },
        ],
      }
    }],
  }
});

FedCM

// Gets a JWT from a OIDC provider. 
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      nonce: "m5tGxUIsFtLi6pwg",
      federated: {
        configURL: "https://university.edu/students",
        clientId: "123"
      }
    }]
  }
});
samuelgoto commented 9 months ago

Ah yeah, good point.

Since you kicked this off, we introduced a params object, which is a grab-bag of key-value pairs that is sent to wallets (and OIDC providers) after selection, which can contain anything that the RP may want to send to the wallet/idp. The intuition is that that's where nonce and readerPublicKey can live, because these aren't things that the browser cares about.

So, for example:

// Gets a CBOR with specific fields out of mobile driver's license as an mdoc
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      holder: {
        selector: {
          retention: {days: 90},
          doctype: "org.iso.18013.5.1.mDL",
          fields: [
            "org.iso.18013.5.1.document_number",
            "org.iso.18013.5.1.portrait",
            "org.iso.18013.5.1.driving_privileges",
            "org.iso.18013.5.1.aamva.organ_donor",
          ],
        },
        params: {
          nonce: "gf69kepV+m5tGxUIsFtLi6pwg=",
          readerPublicKey: "ftl+VEHPB17r2 ... Nioc9QZ7X/6w...",
        }
      }
    }],
  }
});

and 

// Gets a JWT from a OIDC provider. 
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      federated: {
        configURL: "https://university.edu/students",
        clientId: "123",
        params: {
          nonce: "m5tGxUIsFtLi6pwg"
        }
      }
    }]
  }
}

Would that work?

OR13 commented 8 months ago

is nonce the same as WebAuthN challenge? or can nonce be an arbitrary length string (like a JWS or JWE).

are the params always limited to the "holder" concept, or are they values that are not controlled by the holder?