search

openwallet-foundation / acapy

ACA-Py is a foundation for building decentralized identity applications and services running in non-mobile environments.
https://aca-py.org
Apache License 2.0
419 stars 512 forks source link

connection protocol expects did identifier for DID instead of did #711

Closed TimoGlastra closed 4 years ago

TimoGlastra commented 4 years ago

This is more a question than a bug report.

When testing interoperability between aries-framework-javascript (AFJ) and ACA-PY there was an issue with the did and diddoc while creating a connection. (the connection and connection~sig parameters in request / response)

ACA-Py throws the error: Connection DID does not match DIDDoc id

I could find this interaction in the rocket chat where @andrewwhitehead says you should send the DID without the did:sov: part.

The issue lies with that in AFJ we call the indyCreateAndStoreMyDid function for a new connection with the "method_name": "sov" parameter, which returns the whole did instead of only the did identifier.

Removing the did:sov part indeeds works, but this leaves me with some questions.

  1. The id in the the DIDDoc is still the full did containing did:sov: while the DID parameter now only contains the did identifier. So when the error is thrown they do match and after fixing the error and they do not match anymore the error is not thrown. This seems reversed to me?
  2. RFC0160 mentions that the DID parameter indicates a DID, ACA-Py expects it to be a DID identifier. Why is that?

aries-framework-dotnet also uses the did identifier instead of the full did, however they don't check if the diddoc id matches with the did, so it is "okay".

If only sending the did identifier is the way to go I'll make the necessary changes in AFJ, but as it contradicts with how I interpret the RFC I want to be sure.

sklump commented 4 years ago

@andrewwhitehead can you take this?

TimoGlastra commented 4 years ago

Any update on this?

I would love to make AFJ interoperable with ACA-Py.

I understand if you don't have the time to go into detail. In that case i'll just go ahead and send the DID without the did:sov part.

swcurran commented 4 years ago

@andrewwhitehead - please review and respond. Thanks.

andrewwhitehead commented 4 years ago

I agree something needs to change if it can't handle a prefixed DID, but it seems like this will need significant testing (including against the mobile apps) before we roll out a version with these changes. It also looks like when ACA-py might be producing a connection request it's using the un-prefixed DID, which may go back to a previous version of the RFC.

TimoGlastra commented 4 years ago

Thanks @andrewwhitehead. I've discussed and for now we'll change to using the un-prefixed DID. Maybe ACA-Py could eventually support both prefixed DIDs and un-prefixed DIDs for backwards compatibility.