coolaj86/issuer.rest.walnut.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
5 Commits 4 Branches 2 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
tigerbot c62cd15644 added authorization check to grant requests
2017-06-30 12:58:27 -06:00
models.js
added routes to save and retreive grants
2017-06-28 18:34:20 -06:00
package.json
added some routes to save and retrieve JWKs
2017-06-28 14:28:28 -06:00
README.md
notes
2017-06-27 10:19:39 -06:00
rest.js
added authorization check to grant requests
2017-06-30 12:58:27 -06:00

README.md

issuer@oauth3.org (js)

Implementation of server-side RESTful OAuth3 issuer APIs.

These are the OAuth3 APIs that allow for creation and retrieval of public keys used for signing identity tokens.

"issuer" is somewhat of a misnomer from the OIDC breakdown of authentication / authorization parties. What we mean by "issuer" here is actually more like "notary" or "authorized verifier". However, since the "iss" field is already standardized, we keep that name for consistency.

What's to be implemented:

Looking at https://oauth3.org/.well-known/oauth3/directives.json, the core issuer components are these:

api:                    api.:hostname
create_jwk:             :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub
jwks:                   :scheme//:hostname/api/issuer@oauth3.org/jwks/:thumbprint.json
grants:                 :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp?
credential_meta:        :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
credential_otp:         :scheme//:hostname/api/issuer@oauth3.org/otp
authorization_decision  :scheme//:hostname/api/issuer@oauth3.org/authorization_decision
authorization_dialog    :scheme//:hostname/api/issuer@oauth3.org/authorization_dialog
logout                  :scheme//:hostname/api/issuer@oauth3.org/#/logout

No access_token endpoint is strictly necessary. Since clients can create and manage their identity, the can sign create their own tokens. If the identity is stored on the issuer, then the issuer can also sign tokens. Doing so gives full control of all resources owned by the subject "sub" to the issuer "iss".

create_sub:       :scheme//:hostname/api/issuer@oauth3.org/subs/:secret/:sub

And here are some others that are useful, but could be implemented differently without breaking the protocol.

credential_create: :scheme//:hostname/api/issuer@oauth3.org/logins
credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
credential_otp: :scheme//:hostname/api/issuer@oauth3.org/otp

subject

The sub field must be sha256(secret + ':' + azp).

Example:

var secret = '8f7acd369764df342d1581872ff5f70fcc261aa116b3c41dee7ca3474ee2020f' // cryto.randomBytes(32).toString('hex')
var sha256 = cryto.createHash('sha256');
sha256.update(new Buffer(secret, 'hex'));
sha256.update(':' + 'example.com');

var sub = sha256.digest('hex');

This way any issuer can transfer ownership of identity to any other issuer and deterministically reproduce the ppid by virtue of the secret identity of the subject and the public identity of the authorized party and the key is known to be good if the issuer "iss" can supply the public key that verifies the token, identified by its thumbprint "kid" (which the issuer knows without revealing its ppid of the subject and without the authorized party needing to reveal its ppid of the subject.

jwks

The jwk endpoint needs to reveal the jwk by thumbprint as well as some

Description
Node.js implementation of issuer REST APIs for OAuth3
Readme 75 KiB
Languages
JavaScript 100%