2017-06-27 10:19:39 -06:00
|
|
|
issuer@oauth3.org (js)
|
|
|
|
|
======================
|
|
|
|
|
|
|
|
|
|
Implementation of server-side RESTful OAuth3 issuer APIs.
|
|
|
|
|
|
2017-06-30 14:26:12 -06:00
|
|
|
These are the OAuth3 APIs that allow for creation and retrieval of public keys
|
|
|
|
|
used for signing identity tokens.
|
2017-06-27 10:19:39 -06:00
|
|
|
|
2017-06-30 14:26:12 -06:00
|
|
|
"issuer" is somewhat of a misnomer from the OIDC breakdown of authentication /
|
|
|
|
|
authorization parties. What we mean by "issuer" here is actually more like
|
|
|
|
|
"notary" or "authorized verifier". However, since the "iss" field is already
|
|
|
|
|
standardized, we keep that name for consistency.
|
2017-06-27 10:19:39 -06:00
|
|
|
|
|
|
|
|
What's to be implemented:
|
|
|
|
|
|
2017-06-30 14:26:12 -06:00
|
|
|
Looking at <https://oauth3.org/.well-known/oauth3/directives.json>, the core
|
|
|
|
|
issuer components are these:
|
2017-06-27 10:19:39 -06:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
api: api.:hostname
|
|
|
|
|
create_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub
|
|
|
|
|
jwks: :scheme//:hostname/api/issuer@oauth3.org/jwks/:thumbprint.json
|
|
|
|
|
grants: :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp?
|
|
|
|
|
credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
|
|
|
|
|
credential_otp: :scheme//:hostname/api/issuer@oauth3.org/otp
|
|
|
|
|
authorization_decision :scheme//:hostname/api/issuer@oauth3.org/authorization_decision
|
|
|
|
|
authorization_dialog :scheme//:hostname/api/issuer@oauth3.org/authorization_dialog
|
|
|
|
|
logout :scheme//:hostname/api/issuer@oauth3.org/#/logout
|
|
|
|
|
```
|
|
|
|
|
|
2017-06-30 14:26:12 -06:00
|
|
|
No `access_token` endpoint is strictly necessary. Since clients can create and
|
|
|
|
|
manage their identity, the can sign create their own tokens. If the identity is
|
|
|
|
|
stored on the issuer, then the issuer can also sign tokens. Doing so gives full
|
|
|
|
|
control of all resources owned by the subject "sub" to the issuer "iss".
|
2017-06-27 10:19:39 -06:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
create_sub: :scheme//:hostname/api/issuer@oauth3.org/subs/:secret/:sub
|
|
|
|
|
```
|
|
|
|
|
|
2017-06-30 14:26:12 -06:00
|
|
|
And here are some others that are useful, but could be implemented differently
|
|
|
|
|
without breaking the protocol.
|
2017-06-27 10:19:39 -06:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
credential_create: :scheme//:hostname/api/issuer@oauth3.org/logins
|
|
|
|
|
credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
|
|
|
|
|
credential_otp: :scheme//:hostname/api/issuer@oauth3.org/otp
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
-------
|
|
|
|
|
|
|
|
|
|
The `sub` field must be `sha256(secret + ':' + azp)`.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
2017-06-30 14:26:12 -06:00
|
|
|
```js
|
2017-06-27 10:19:39 -06:00
|
|
|
var secret = '8f7acd369764df342d1581872ff5f70fcc261aa116b3c41dee7ca3474ee2020f' // cryto.randomBytes(32).toString('hex')
|
|
|
|
|
var sha256 = cryto.createHash('sha256');
|
|
|
|
|
sha256.update(new Buffer(secret, 'hex'));
|
|
|
|
|
sha256.update(':' + 'example.com');
|
|
|
|
|
|
|
|
|
|
var sub = sha256.digest('hex');
|
|
|
|
|
```
|
|
|
|
|
|
2017-06-30 14:26:12 -06:00
|
|
|
This way any issuer can transfer ownership of identity to any other issuer and
|
|
|
|
|
deterministically reproduce the ppid by virtue of the secret identity of the
|
|
|
|
|
subject and the public identity of the authorized party and the key is known to
|
|
|
|
|
be good if the issuer "iss" can supply the public key that verifies the token,
|
|
|
|
|
identified by its thumbprint "kid" (which the issuer knows without revealing
|
|
|
|
|
its ppid of the subject and without the authorized party needing to reveal its
|
|
|
|
|
ppid of the subject.
|
2017-06-27 10:19:39 -06:00
|
|
|
|
|
|
|
|
jwks
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
The jwk endpoint needs to reveal the jwk by thumbprint as well as some
|
