README
¶
UHC messages and DIDComm encapsulation
UHC extends FAPI with DIDComm and Post-Quantum Computing algorithms. See OpenID Utils. UHC messages are protocol-agnostic to be used not only in HTTP but in other protocols such as Bluetooth. In UHC, the Request Object is the payload of a JWS/DIDComm signed message which can be encrypted in a JWE/DIDComm message as a Nested JWT, but using Post-Quantum Computing (PQC) algorithms for signature and encryption.
UHC extends the JWTs used in FAPI with DIDComm messages (for JAR and JARM):
-
A DIDComm signed message is a signed JWM. When a message is both signed and encrypted, the JOSE recommendation is sign the plaintext first, and then encrypt. JWMs conceptually share parallels to JWTs. A JWM leverages JSON Web Signature (JWS) and or JSON Web Encryption (JWE) to achieve digital signing, integrity protection and or confidentiality via encryption for the JWM attribute set in similar ways to JWT for the JWT claim set.
-
A DIDComm encrypted message is an encrypted JWM/JWE which contains nested a DIDComm signed message (signed JWM/JWT).
UHC disambiguation using DIDComm messages
-
Similar to the Bundle ID in iOS applications, the OpenID "client_id" in both requests and responses refers to of the Client software ID, which is the reverse-DNS of the URL client application. For example:
com.example.region.organization-name.app-name. -
If the message is signed:
- it contains the sender's public signature keyID ("kid") in the JOSE header of the JWS/DIDComm signed message.
-
If the message is encrypted it contains in the JOSE headers:
- the sender's public encryption keyID ("skid") in the JOSE protected header of the JWE/DIDComm encrypted message.
- the recipient's public encryption keyID ("skid") in the JOSE protected header of the JWE/DIDComm encrypted message.
- the sender's public signature keyID ("kid") in the JOSE header of the JWS/DIDComm signed message.
-
The payload (unencrypted "plaintext" data) of the DIDComm message contains:
-
the "sub" property to identify the DID of the Subject, where the public encryption and / or signature keys exist for the current wallet (profile) sending/receiving data through the software application installed in an electronic device.
-
the Issuer ("iss" property) corresponds to the "issuer" entry in the well-known configuration files of the API service (both openid-configuration and did-configuration.json files). For example:
https://api-service-name.organization-name.region.example.com. -
the "from" property refers to the sender's DID where the sender's encryption "skid" and / or signature "kid" header properties refers to, similar to OpenID SIOPv2.
-
the "to" property refers to the recipient's DID. It can be an alias of a DID ("alsoKnownAs" property in a DID Document). If the recipient is an OpenID Provider the DID Document must have the "issuer" service URL matching with "iss" property (URL). More information about the DID Method.
-
OpenID Connect Code Flow
The OAuth 2.0/OpenID Connect Authorization Code grant is a two-step process:
- obtain an authorization code, and
- exchange it for an access token (to be used in the APIs) and optionally for an ID token (to be used by the client application).
JWT-secured authorisation request (JAR), FAPI and DIDComm envelope
When using the HTTP protocol and the HTTP POST method, the parameters of the HTTP request are serialized using Form Serialization (OICD Core - Section 13.2), the HTTP header Content-type is application/x-www-form-urlencoded.
Although different parameters are required as per OAuth 2.0, OpenID and JAR specifications, FAPI and UHC ignore all except the "request" parameter, which in FAPI it is a compact JWS containing the Request Object as payload.
UHC messages are protocol-agnostic to be used not only in HTTP but in other protocols such as Bluetooth, and extends the FAPI Security Profile. In UHC, the Request Object is the payload of a JWS/DIDComm signed message which can be encrypted in a JWE/DIDComm message as a Nested JWT, but using Post-Quantum Computing (PQC) algorithms for signature and encryption.
The parameters for the HTTP request are explained below:
-
"request": the JWT data container, named "Request Object", in compact JWT serialization.
-
"client_id": duplicated from the Request Object's payload (required by Section 5 of JAR, but ignored by FAPI and UHC).
Additionally, if the client app is not using pushed authentication request (PAR), the client app can send duplicates of the "response_type" and "scope" parameters/values using the OAuth 2.0 request syntax as required by Section 6.1 of the OpenID Connect specification, but they are ignored by FAPI and UHC specifications.
Using a DIDComm message to envelope the Request Object in JAR
JAR requires both Clients and Authorization Servers to verify the payload of signed JWT (Request Object) with keys from the other party.
For the Authentication Server (AS) it strongly recommends the use of JWKS URI endpoints to distribute public keys ("jwks_uri", RFC8414).
For the Client applications it recommends either the use of JWKS URI endpoints ("jwks_uri", RFC7591) or the use of the "jwks" JOSE header parameter in combination with RFC7591 and RFC7592.
An Authentication Request is an OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server.
Signing and then encrypting a JWT/DIDComm
As per the OpenID Connect specification (OIDC Core - Section 16.14), a JWT can be first signed then encrypted, being the signed JWT (JWS) the plaintext data of the JWE (Nested JWT).
UHC extends JWT with DIDComm messages. A DIDComm signed message is a signed JWM. When a message is both signed and encrypted, the JOSE recommendation is sign the plaintext first, and then encrypt.
JWMs conceptually share parallels to JWTs. A JWM leverages JSON Web Signature (JWS) and or JSON Web Encryption (JWE) to achieve digital signing, integrity protection and or confidentiality via encryption for the JWM attribute set in similar ways to JWT for the JWT claim set.
A DIDComm encrypted message is an encrypted JWM/JWE which contains nested a DIDComm signed message (signed JWM/JWT).
Creating a compact JWT/DIDComm
To maintain the compatibility with the JAR specification:
- an encrypted JWE/jar-didcomm-encrypted+json message contains a Nested JWS/jar-didcomm-signed+json message, where:
- the "typ" property of the JWE header is "jwt" as per the JAR specification;
- the "cty" property of the JWE header is set to the media type "didcomm-signed+json" as defined in the DIDComm specification.
- the "kid" property of the JWE header is recipient's public encryption keyID in DID#kid URI format.
- a nested DIDComm-JAR signed message (JWT) contains a JAR object in the payload adding a "type" field to predict the structure inside of the message following the DIDComm specification, where:
- the "typ" property of the JWT header is "jwt" as per the JAR specification;
- the "cty" property of the JWT header is set to the media type "didcomm-signed+json" as defined in the DIDComm specification.
- the "to" property of the JWT header is defined in the inner (signed) message, in order to avoid surreptitious forwarding or malicious usage of the signed message, as per the DIDComm specification.
Aligning with RFC 7515, IANA types for DIDComm messages MAY omit the application/ prefix; the recipient MUST treat media types not containing / as having the application/ prefix present.
Message Layer Addressing Consistency
As per the DIDComm specification (Section 3.2), when messages are combined into layers as shown above in the Media Types table, various attributes must be checked for consistency by the message recipient.
- The to attribute in the plaintext message (Request Object payload) MUST contain the kid attribute of an encrypted message (to can be a
did#kidURI) - The from attribute in the plaintext message (Request Object payload) MUST match the signer’s kid in a signed message.
- The from attribute in the plaintext message (Request Object payload) MUST match the skid attribute in the encryption layer.
Header of the encrypted DIDComm-JAR message envelope
The JOSE header of the encrypted DIDComm message, following both JOSE (RFC7516) and DIDComm specifications, requires the following fields:
- the "skid" (required in UHC) field value is the sender's public encryption keyID for authenticated encryption.
- the "cty" (required in UHC) field value is set to "didcomm-signed+json" when the plaintext is a Nested JWS/jar-didcomm-signed+json message.
- the "typ" (required) field value is "jwt".
- the "alg" (required) field value identifies the algorithm used to encrypt (encapsulate) the value of the CEK.
- the "enc" (required) field value identifies the algorithm used to encrypt the data using the CEK (e.g.: "A256GCM" for AES data encryption).
- the "kid" (conditional) field value is the recipient's keyID (kid) to which the CEK was encrypted, calculated by the JWK Thumbprint of the recipient's public encryption key.
- the "jku" (conditional) field value is the recipient's JWK Set URL, to get the public key to which the JWE was encrypted by using the "kid" field as identifier.
- the "jwk" (conditional) field value is the recipient's public JWK to which the CEK was encrypted (rather than using both "kid" and "jku").
Header of the signed DIDComm-JAR nested message
The JOSE header of the signed DIDComm message, following both JAR and DIDComm specifications, requires the following fields:
- the "to" (required in UHC) field value is the DID Service Endpoint. It should be the same as the payload's "aud" field in case of the Authorization flow or the "htu" field when using a DPoP token bound to an access token.
- the "cty" (required in UHC) field value is set to "didcomm-signed+json".
- the "typ" (required) field value is "jwt".
- the "alg" (required) field value is the identifier of the digital signature algorithm. MUST NOT be "none".
- the "kid" (required) field value is the keyID (kid) calculated by the JWK Thumbprint of the public key used by the issuer.
- the "jwks" (optional) field value contains an array of public keys that corresponds in UHC to the sender's public signature JWK (first) and public encryption JWK (second, it can be already in the JWE "jwk" header).
- the "zip" (optional) field value can be "DEF" (deflated, compressed).
Note: "x5u" is not used in JAR because the certificate data can be included in the JWK (use the "jwk" or "jku" fields instead).
JWT-secured authorisation response (JARM)
The JWT data container is named "Response Document".
- A Redirect URL with the Response Document in compact JWT as the "response" parameter.
- An HTML web page (Form Post Response) containing a form with the Response Document in compact JWT as the "response" parameter.
JWT-secured authorisation response (JARM) with DIDComm envelope
TODO
Error response
As per the OAuth 2.0 Authorization Framework - Section 4.1.2.1 If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format, per Appendix B:
-
"error" (REQUIRED): A single ASCII error code from the following:
- "invalid_request": The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
- "unauthorized_client": The client is not authorized to request an authorization code using this method.
- "access_denied": The resource owner or authorization server denied the request.
- "unsupported_response_type": The authorization server does not support obtaining an authorization code using this method.
- "invalid_scope": The requested scope is invalid, unknown, or malformed.
- "server_error": The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.)
- "temporarily_unavailable": The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via an HTTP redirect)
-
"state" (CONDITIONAL): required if a "state" parameter was present in the client authorization request; it is the exact value received from the client.
-
"error_description" (OPTIONAL): Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.
-
"error_uri" (OPTIONAL). A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
Documentation
¶
Index ¶
- Constants
- Variables
- func CheckAudience(audience string, didDocument *didDocumentUtils.DidDoc) bool
- func CheckCodeChallengeLength(codeChallenge string) bool
- func CheckIssuerDidKidURI(issuer string, expectedIssuerDidKid string) bool
- func CheckRegisterProfileRequestPayload(decodedRequestPayload *DecodedRequestPayloadJAR, ...) string
- func CheckRequestCodePayload(payload PayloadCodeRequestJWT, recipientDidDocument *didDocumentUtils.DidDoc) (map[string]interface{}, string)
- func CheckRequestHeaderJWE(header joseUtils.HeaderRequestJWS, didServiceEndpoint string) (map[string]interface{}, string)
- func CheckRequestHeaderJWEFromCompactJWS(compactJWS string) (map[string]interface{}, string)
- func CheckRequestHeaderJWS(header joseUtils.HeaderRequestJWS) (map[string]interface{}, string)
- func CheckRequestHeaderJWSFromCompactJWS(compactJWS, didServiceEndpoint string) (map[string]interface{}, string)
- func CheckRequestHeaderJsonJWS(headerJSON map[string]interface{}) (map[string]interface{}, string)
- func CheckResponseTypeAndMode(decodedRequestPayload *DecodedRequestPayloadJAR) bool
- func CheckTimeValidation(nbf, exp int64) bool
- func CreateHeaderRequestJWE(alg, enc, skid string, jwk *jwkUtils.JWK, kid, jku *string) *joseUtils.HeaderRequestJWE
- func CreateHeaderRequestJWS(alg, kid, didServiceEndpoint string) *joseUtils.HeaderRequestJWS
- func DecodeAndCheckRequestCodeDataJWT(compactJWT *string, recipientDidDocument *didDocumentUtils.DidDoc) (*joseUtils.DataJWT, *string)
- func DecodeAndCheckRequestJsonApiDataJWT(compactJWT *string, recipientDidDoc *didDocumentUtils.DidDoc, ...) (*joseUtils.DataJWT, *string)
- func GetAudiences(audience string) []string
- func GetScopes(scope string) []string
- func ParseAudiences(scopes []string) string
- func ParseScopes(scopes []string) string
- func ReturnResponseJARM(w http.ResponseWriter, r *http.Request, ...)
- type AttachmentData
- type AttachmentV2
- type CredentialAttribute
- type CredentialPreview
- type DIDCommBodyMetaJAR
- type DIDCommV2
- type DIDCommV2IssueCredentialBody
- type DIDCommV2OfferCredentialBody
- type DecodedRequestPayloadJAR
- func (requestPayloadData *DecodedRequestPayloadJAR) GetBearer() joseUtils.DataJWT
- func (requestPayloadData *DecodedRequestPayloadJAR) GetBearerScope() string
- func (requestPayloadData *DecodedRequestPayloadJAR) GetBearerSubject() string
- func (requestPayloadData *DecodedRequestPayloadJAR) ToJSON() map[string]interface{}
- type ErrorObject
- type JsonApiErrorLink
- type JsonApiErrorSource
- type LinkObject
- type NewProfileCodeAttributes
- type OpenidAccessTokenPayload
- type OpenidDpopHeader
- type OpenidDpopPayload
- type OpenidHttpPrivateData
- type OpenidIDTokenPayload
- type OpenidRequestFormData
- type OpenidRequestMeta
- type PayloadCodeRequestJWT
- type PayloadJsonApiJWT
- type PayloadRegisterProfileRequestJWT
- type PayloadTokenRequestJWT
- type PrimaryDocument
- type RequestData
- type ResourceObject
- type ResponseDocumentPayloadBodyJARM
- type ResponseDocumentPayloadJARM
Constants ¶
const ( ContentTypeDIDCommSignedJSON = "didcomm-signed+json" // DIDComm specification, but the HTTP Content-type will be "uhc-didcomm.api+json" as per the JSON:API specification. ContentTypeDIDCommEncryptedCBOR = "didcomm-encrypted+cbor" // (see CBOR RFC 8949, section 9.5: https://www.rfc-editor.org/rfc/rfc8949#section-9.5) CodeChallengeMethod = "S256" HeaderTypeJWT = "jwt" // TODO: what if it is CBOR encoded? PayloadTypeNewProfileCode = "profile-code+jwt" PayloadTypeLoginCode = "login-code+jwt" PayloadTypeProfileTokenDCR = "dcr-token+jwt" PayloadTypeData = "data+jwt" ResponseModeJWT = "jwt" ResponseModeQueryJWT = "query.jwt" ResponseModeFragmentJWT = "fragment.jwt" ResponseModeFormPostJWT = "form_post.jwt" ResponseTypeCODE = "code" ResponseTypeIDTOKEN = "id_token" ResponseTypeAccessTOKEN = "token" ResponseTypeDATA = "data" ScopeOpenidGeneric = "openid" )
Variables ¶
var ( ErrMsgNotFound = "not found" ErrMsgEmptyData = "the data is empty" ErrMsgOpenidInvalidRequest = "invalid_request" ErrMsgOpenidInvalidToken = "invalid_token" ErrMsgOpenidInsufficientScope = "insufficient_scope" ErrMsgServerError = "server encountered an unexpected condition" ErrMsgAccessDenied = "resource owner or authorization server denied the request" ErrMsgUnsupportedResponseType = "unsupported response type" ErrMsgInvalidScope = "request scope is invalid, unknown or malformed" )
var ( Encrypted = "application/didCommunicationUtils-encrypted+json" // for Authcrypted and/or anoncrypted, also for Signed and anoncrypted. Signed = "application/didCommunicationUtils-signed+json" Plaintext = "application/didCommunicationUtils-plain+json" )
var CreateResponseDocumentPayloadWithAccessToken = func(httpStatusCode int, accessTokenResponseData openidUtils.OpenidAccessTokenResponseData) ResponseDocumentPayloadJARM { httpHeaders := httpUtils.HttpResponseHeaders{StatusCode: httpStatusCode} tokenType := openidUtils.AuthorizationBearerType responseDocument := ResponseDocumentPayloadJARM{ Body: ResponseDocumentPayloadBodyJARM{ HttpHeader: &httpHeaders, }, AccessToken: &accessTokenResponseData.AccessToken, TokenType: &tokenType, ExpiresIn: &accessTokenResponseData.ExpiresIn, Scope: &accessTokenResponseData.Scope, RefreshToken: accessTokenResponseData.RefreshToken, IdToken: accessTokenResponseData.IDToken, } return responseDocument }
CreateResponseDocumentPayloadWithAccessToken receives the HTTP Status-Code and OpenidAccessTokenResponseData and returns a ResponseDocumentPayloadJARM (to create the compact JWT Response Document for the JARM Redirect URL response).
var CreateResponseDocumentPayloadWithData = func(httpStatusCode int, dataObjects *[]map[string]interface{}, errorObjects *[]ErrorObject) ResponseDocumentPayloadJARM { httpHeaders := httpUtils.HttpResponseHeaders{StatusCode: httpStatusCode} responseDocument := ResponseDocumentPayloadJARM{ Body: ResponseDocumentPayloadBodyJARM{ Data: dataObjects, Errors: errorObjects, HttpHeader: &httpHeaders, }, } return responseDocument }
CreateResponseDocumentPayloadWithData receives the HTTP Status-Code and an array of JSON objects and returns a ResponseDocumentPayloadJARM (to create the compact JWT Response Document for the JARM Redirect URL response).
var CreateResponseDocumentPayloadWithError = func(httpStatusCode int, errorType *string, errorMsg string, errorURI *string) ResponseDocumentPayloadJARM { httpHeaders := httpUtils.HttpResponseHeaders{StatusCode: httpStatusCode} responseDocument := ResponseDocumentPayloadJARM{ Body: ResponseDocumentPayloadBodyJARM{ HttpHeader: &httpHeaders, }, ErrorDescription: &errorMsg, Error: errorType, ErrorURI: errorURI, } return responseDocument }
CreateResponseDocumentPayloadWithError receives the HTTP Status-Code and error data (see https://www.rfc-editor.org/rfc/rfc6749.html#page-45) and returns a ResponseDocumentPayloadJARM (to create the compact JWT Response Document for the JARM Redirect URL response).
var CreateResponseDocumentPayloadWithOpenidCode = func(httpStatusCode int, openidCode string) ResponseDocumentPayloadJARM { httpHeaders := httpUtils.HttpResponseHeaders{StatusCode: httpStatusCode} responseDocument := ResponseDocumentPayloadJARM{ Body: ResponseDocumentPayloadBodyJARM{ HttpHeader: &httpHeaders, }, Code: &openidCode, } return responseDocument }
CreateResponseDocumentPayloadWithOpenidCode receives the HTTP Status-Code and an array of JSON objects and returns a ResponseDocumentPayloadJARM (to create the compact JWT Response Document for the JARM Redirect URL response).
var (
ErrCodeRequestInvalid = `invalid code request`
)
var GetOpenidRequestFormData = func(r *http.Request) *OpenidRequestFormData { if err := r.ParseForm(); err != nil { return nil } scope := r.Form.Get("scope") openidRequestJAR := &OpenidRequestFormData{ ClientID: r.Form.Get("client_id"), Request: r.Form.Get("request"), ResponseType: r.Form.Get("response_type"), Scope: &scope, } return openidRequestJAR }
var GetPublicEncryptionKeyByOpenidHeaders = func(openidHeaders *openidUtils.OpenidHeaders) *jwkUtils.JWK { jwkSet := openidHeaders.HeaderJSONWebKeySet.SearchJWKeyByAlg("kyber") if jwkSet != nil || len(*jwkSet) > 1 { jwk := *jwkSet return &jwk[0] } else { return nil } }
var GetRecipientEncryptionKeyByDecodedRequestPayloadJAR = func(decodedRequestPayloadJAR *DecodedRequestPayloadJAR) *jwkUtils.JWK { if decodedRequestPayloadJAR == nil { return nil } requesterJwKeySet := decodedRequestPayloadJAR.Body.Meta.JWS.JSONWebKeySet requesterPublicKyberKeys := requesterJwKeySet.SearchJWKeyByAlg("kyber") if requesterPublicKyberKeys == nil || len(*requesterPublicKyberKeys) < 1 { return nil } else { recipientKeys := *requesterPublicKyberKeys return &recipientKeys[0] } }
Functions ¶
func CheckAudience ¶
func CheckAudience(audience string, didDocument *didDocumentUtils.DidDoc) bool
CheckAudience checks both the received audience(s) contains URLs ("http://" is allows only for localhost and "https" is required for other URLs) and the audience claim list contains the expected audience (but only it "expected" is not an empty string). TODO: REVIEW "aud" in UHC identifies at the same time: - the "software_id" (e.g.: professional-app-example), and - the Issuer's URL (e.g.: http://identity.professional-app-example.test-organization.localhost:8006/)
func CheckCodeChallengeLength ¶
CheckCodeChallengeLength checks the "code_challenge" is between 43 and 128 characters as per the OpenID specification (it is the SHA-256 hash result of a random challenge generated by the client application, base64url encoded).
func CheckIssuerDidKidURI ¶
CheckIssuerDidKidURI checks the "iss" URI is a DID with a keyID fragment (#). (private_key_jwt authentication method as specified in section 9 of OIDC).
func CheckRegisterProfileRequestPayload ¶
func CheckRegisterProfileRequestPayload(decodedRequestPayload *DecodedRequestPayloadJAR, recipientDidDoc didDocumentUtils.DidDoc, softwareIdList []string) string
func CheckRequestCodePayload ¶
func CheckRequestCodePayload(payload PayloadCodeRequestJWT, recipientDidDocument *didDocumentUtils.DidDoc) (map[string]interface{}, string)
func CheckRequestHeaderJWE ¶
func CheckRequestHeaderJWE(header joseUtils.HeaderRequestJWS, didServiceEndpoint string) (map[string]interface{}, string)
func CheckRequestHeaderJWS ¶
func CheckRequestHeaderJWS(header joseUtils.HeaderRequestJWS) (map[string]interface{}, string)
func CheckResponseTypeAndMode ¶
func CheckResponseTypeAndMode(decodedRequestPayload *DecodedRequestPayloadJAR) bool
CheckResponseTypeAndMode returns true if "response_type" contains "code", "token", or "data"
func CheckTimeValidation ¶
CheckTimeValidation cheks both: - the "nbf" field is no longer than 60 minutes in the past. - the "exp" field has a lifetime of no longer than 60 minutes after the "nbf" field.
func CreateHeaderRequestJWE ¶
func CreateHeaderRequestJWE(alg, enc, skid string, jwk *jwkUtils.JWK, kid, jku *string) *joseUtils.HeaderRequestJWE
todo: CreateHeaderRequestJWE returns HeaderRequestJWE or nil
func CreateHeaderRequestJWS ¶
func CreateHeaderRequestJWS(alg, kid, didServiceEndpoint string) *joseUtils.HeaderRequestJWS
CreateHeaderRequestJWS returns joseUtils.HeaderRequestJWS or nil
func DecodeAndCheckRequestCodeDataJWT ¶
func DecodeAndCheckRequestCodeDataJWT(compactJWT *string, recipientDidDocument *didDocumentUtils.DidDoc) (*joseUtils.DataJWT, *string)
DecodeAndCheckRequestCodeDataJWT returns DataJWT (or nil) and error message (or nil). It checks header fields (valid "alg", "kid" is not empty, "to" match with didServiceEndpoint), It checks payload fields "iss" and "sub" match with issuerDidKid and subjectDidKid, also "exp" and "nbf" fields. Then the "response_mode", "aud" and "redirect_uri" fields can be checked by the parent function to see if they are allowed.
func DecodeAndCheckRequestJsonApiDataJWT ¶
func DecodeAndCheckRequestJsonApiDataJWT(compactJWT *string, recipientDidDoc *didDocumentUtils.DidDoc, expectedAudience string, requiredScopes []string) (*joseUtils.DataJWT, *string)
DecodeAndCheckRequestJsonApiDataJWT returns DataJWT (or nil) and error message (or nil). It checks header fields (valid "alg", "kid" are not empty, "to" match with didServiceEndpoint), It checks payload fields "iss" and "sub" match with issuerDidKid and subjectDidKid, also "exp" and "nbf" fields. Then the "response_mode", "aud" and "redirect_uri" fields can be checked by the parent function to see if they are allowed.
func GetAudiences ¶
GetAudiences converts audience claim to string slice, with compatibility not only for comma separated but for comma-space and space too.
func GetScopes ¶
GetScopesList converts scope claim to string slice, with compatibility not only for space separated but for comma and comma-space too.
func ParseAudiences ¶
ParseAudiences joins the slice into a whitespace-separated string.
func ParseScopes ¶
ParseScopes joins the slice into a whitespace-separated string.
func ReturnResponseJARM ¶
func ReturnResponseJARM(w http.ResponseWriter, r *http.Request, decodedRequestJAR *DecodedRequestPayloadJAR, compactJWT *string, redirectURL string)
Types ¶
type AttachmentData ¶
type AttachmentData struct {
// Sha256 is a hash of the content. Optional. Used as an integrity check if content is inlined.
// if content is only referenced, then including this field makes the content tamper-evident.
// This may be redundant, if the content is stored in an inherently immutable container like
// content-addressable storage. This may also be undesirable, if dynamic content at a specified
// link is beneficial. Including a hash without including a way to fetch the content via link
// is a form of proof of existence.
Sha256 string `json:"sha256,omitempty"`
// Links is a list of zero or more locations at which the content may be fetched.
Links []string `json:"links,omitempty"`
// Base64 encoded data, when representing arbitrary content inline instead of via links. Optional.
Base64 string `json:"base64,omitempty"`
// JSON is a directly embedded JSON data, when representing content inline instead of via links,
// and when the content is natively conveyable as JSON. Optional.
JSON interface{} `json:"json,omitempty"`
// JWS is a JSON web signature over the encoded data, in detached format.
JWS json.RawMessage `json:"jws,omitempty"`
}
AttachmentData contains attachment payload.
type AttachmentV2 ¶
type AttachmentV2 struct {
// ID is a JSON-LD construct that uniquely identifies attached content within the scope of a given message.
// Recommended on appended attachment descriptors. Possible but generally unused on embedded attachment descriptors.
// Never required if no references to the attachment exist; if omitted, then there is no way
// to refer to the attachment later in the thread, in error messages, and so forth.
// Because @id is used to compose URIs, it is recommended that this name be brief and avoid spaces
// and other characters that require URI escaping.
ID string `json:"id,omitempty"`
// Description is an optional human-readable description of the content.
Description string `json:"description,omitempty"`
// FileName is a hint about the name that might be used if this attachment is persisted as a file.
// It is not required, and need not be unique. If this field is present and mime-type is not,
// the extension on the filename may be used to infer a MIME type.
FileName string `json:"filename,omitempty"`
// MediaType describes the MIME type of the attached content. Optional but recommended.
MediaType string `json:"media_type,omitempty"`
// LastModTime is a hint about when the content in this attachment was last modified.
LastModTime time.Time `json:"lastmod_time,omitempty"`
// ByteCount is an optional, and mostly relevant when content is included by reference instead of by value.
// Lets the receiver guess how expensive it will be, in time, bandwidth, and storage, to fully fetch the attachment.
ByteCount int64 `json:"byte_count,omitempty"`
// Data is a JSON object that gives access to the actual content of the attachment.
Data AttachmentData `json:"data,omitempty"`
// Format describes the format of the attachment if the media_type is not sufficient.
Format string `json:"format,omitempty"`
}
AttachmentV2 is intended to provide the possibility to include files, links or even JSON payload to the message. To find out more please visit https://identity.foundation/didcomm-messaging/spec/#attachments
type CredentialAttribute ¶
type CredentialAttribute struct {
Name string `json:"name,omitempty" bson:"name,omitempty"` // an array of (object) attribute specifications
MimeType string `json:"mime-type,omitempty" bson:"mime-type,omitempty"` //
Value string `json:"value,omitempty" bson:"value,omitempty"` //
}
CredentialAttribute has the attribute data of a credential's claim. It is used construct a preview of the data for the credential that is to be issued. Its schema follows:
- 'name' (MANDATORY): key maps to the attribute name as a string.
- 'mime-type' (Optional): advises the issuer how to render a binary attribute, to judge its content for applicability before issuing a credential containing it. Its value parses case-insensitively in keeping with MIME type semantics of RFC 2045. If mime-type is missing, its value is null.
- 'value' (MANDATORY): holds the attribute value base64 encoded if mime-type or as a single string value if not. if mime-type is missing (null), then value is a string. In other words, implementations interpret it the same as any other key+value pair in JSON. if mime-type is not null, then value is always a base64url-encoded string that represents a binary BLOB, and mime-type tells how to interpret the BLOB after base64url-decoding.
type CredentialPreview ¶
type CredentialPreview struct {
Attributes []CredentialAttribute `json:"attributes,omitempty" bson:"goattributesal_code,omitempty"` // an array of (object) attribute specifications
}
type DIDCommBodyMetaJAR ¶
type DIDCommBodyMetaJAR struct {
BearerData joseUtils.DataJWT `json:"bearer,omitempty" bson:"bearer,omitempty"` // the access token
DPoPData joseUtils.DataJWT `json:"dpop,omitempty" bson:"dpop,omitempty"`
// - decoded JWE protected headers such as "skid" (sender's encryption keyID), "kid" (recipient's public encryption) and "enc" (encryption algorithm). It can contain mixed unprotected headers for the recipient.
// - decoded JWS headers such as "kid" (sender's keyID), "alg" (signature algorithm) and "jwks" (JSON Web Key Set)
// which contains both sender's public signature JWK (first) and encryption JWK (second).
JWE joseUtils.HeaderRequestJWE `json:"jwe,omitempty" bson:"jwe,omitempty"`
JWS joseUtils.HeaderRequestJWS `json:"jws,omitempty" bson:"jws,omitempty"`
}
type DIDCommV2 ¶
type DIDCommV2 struct {
Attachments []AttachmentV2 `json:"attachments,omitempty" bson:"attachments,omitempty"` // OPTIONAL. See Attachments for detail. *[]DIDCommAttachment
Body map[string]interface{} `json:"body,omitempty" bson:"body,omitempty"` // REQUIRED. The body attribute contains all the message type specific attributes of the message type indicated in the type attribute. This attribute MUST be present, even if empty. It MUST be a JSON object conforming to RFC 7159.
CreatedTime *string `json:"created_time,omitempty" bson:"created_time,omitempty"` // OPTIONAL. Message Created Time. The created_time attribute is used for the sender to express when they created the message, expressed in UTC Epoch Seconds (seconds since 1970-01-01T00:00:00Z UTC) [link](1970-01-01T00:00:00Z UTC). This attribute is informative to the recipient, and may be relied on by protocols.
ExpiresTime *string `json:"expires_time,omitempty" bson:"expires_time,omitempty"` // OPTIONAL. Message Expired Time. The expires_time attribute is used for the sender to express when they consider the message to be expired, expressed in UTC Epoch Seconds (seconds since 1970-01-01T00:00:00Z UTC) [link](1970-01-01T00:00:00Z UTC). This attribute signals when the message is considered no longer valid by the sender. When omitted, the message is considered to have no expiration by the sender.
From *string `json:"from,omitempty" bson:"from,omitempty"` // OPTIONAL: when the message is to be encrypted via anoncrypt. REQUIRED when the message is encrypted via authcrypt. Sender identifier. The from attribute MUST be a string that is a valid DID or DID URL (without the fragment component) which identifies the sender of the message. When a message is encrypted, the sender key MUST be authorized for encryption by this DID. Authorization of the encryption key for this DID MUST be verified by message recipient with the proper proof purposes. When the sender wishes to be anonymous using authcrypt, it is recommended to use a new DID created for the purpose to avoid correlation with any other behavior or identity. Peer DIDs are lightweight and require no ledger writes, and therefore a good method to use for this purpose. See the message authentication section for additional details.
ID *string `json:"id,omitempty" bson:"id,omitempty"` // REQUIRED. Message ID. The id attribute value MUST be unique to the sender.
To *[]string `json:"to,omitempty" bson:"to,omitempty"` // OPTIONAL. Identifier(s) for recipients. MUST be an array of strings where each element is a valid DID or DID URL (without the fragment component) that identifies a member of the message's intended audience. These values are useful for recipients to know which of their keys can be used for decryption. It is not possible for one recipient to verify that the message was sent to a different recipient.
Type string `json:"type,omitempty" bson:"type,omitempty"` // REQUIRED. Plaintext message type ('<message-type-uri>'), useful for message handling in application-level protocols. The type attribute value MUST be a valid Message Type URI, that when resolved gives human readable information about the message. The attribute's value SHOULD predict the content in the body of the message.
ParentThreadID *string `json:"pthid,omitempty" bson:"pthid,omitempty"` // OPTIONAL. Parent thread identifier. If the message is a child of a thread the pthid will uniquely identify which thread is the parent.
ThreadID *string `json:"thid,omitempty" bson:"thid,omitempty"` // OPTIONAL: Thread identifier. Uniquely identifies the thread that the message belongs to. If not included, the id property of the message MUST be treated as the value of the thid.
}
** DIDCommV2 is an JWM (JSON Web Messages) which can_hide its content from all but authorized recipients if encrypted, * disclose and prove the sender to exactly and only those recipients, and provide integrity guarantees. * https://github.com/decentralized-identity/didcomm-messaging/blob/master/docs/spec-files/message_structure.md * * The body of a DIDComm message is the JSON 'body' object into a JWM message. * * Headers in DIDComm Messaging are intended to be extensible in much the same way that headers in HttpHeaders or SMTP are extensible. * A few headers are predefined: * - attachments: OPTIONAL. See attachments. * - body: REQUIRED. The body attribute contains all the message type specific attributes of the message type indicated in the type attribute. This attribute MUST be present, even if empty. It MUST be a JSON object conforming to RFC 7159. * - id: REQUIRED. Message ID. The id attribute value MUST be unique to the sender. * - type: REQUIRED. Plaintext message type ('<message-type-uri>'), useful for message handling in application-level protocols. The type attribute value MUST be a valid Message Type URI, that when resolved gives human readable information about the message. The attribute's value SHOULD predict the content in the body of the message. * - typ: OPTIONAL. Media type of the JWM content (application/didCommunicationUtils-encrypted+json, application/didCommunicationUtils-signed+json OR application/didCommunicationUtils-plain+json). * - from: OPTIONAL: when the message is to be encrypted via anoncrypt. REQUIRED when the message is encrypted via authcrypt. Sender identifier. The from attribute MUST be a string that is a valid DID or DID URL (without the fragment component) which identifies the sender of the message. When a message is encrypted, the sender key MUST be authorized for encryption by this DID. Authorization of the encryption key for this DID MUST be verified by message recipient with the proper proof purposes. When the sender wishes to be anonymous using authcrypt, it is recommended to use a new DID created for the purpose to avoid correlation with any other behavior or identity. Peer DIDs are lightweight and require no ledger writes, and therefore a good method to use for this purpose. See the message authentication section for additional details. * - to: OPTIONAL. Identifier(s) for recipients. MUST be an array of strings where each element is a valid DID or DID URL (without the fragment component) that identifies a member of the message's intended audience. These values are useful for recipients to know which of their keys can be used for decryption. It is not possible for one recipient to verify that the message was sent to a different recipient. * - thid: OPTIONAL: Thread identifier. Uniquely identifies the thread that the message belongs to. If not included, the id property of the message MUST be treated as the value of the thid. * - pthid: OPTIONAL. Parent thread identifier. If the message is a child of a thread the pthid will uniquely identify which thread is the parent. * - created_time: OPTIONAL. Message Created Time. The created_time attribute is used for the sender to express when they created the message, expressed in UTC Epoch Seconds (seconds since 1970-01-01T00:00:00Z UTC) [link](1970-01-01T00:00:00Z UTC). This attribute is informative to the recipient, and may be relied on by protocols. * - expires_time: OPTIONAL. Message Expired Time. The expires_time attribute is used for the sender to express when they consider the message to be expired, expressed in UTC Epoch Seconds (seconds since 1970-01-01T00:00:00Z UTC) [link](1970-01-01T00:00:00Z UTC). This attribute signals when the message is considered no longer valid by the sender. When omitted, the message is considered to have no expiration by the sender.
type DIDCommV2IssueCredentialBody ¶
type DIDCommV2IssueCredentialBody struct {
ReplacementID *string `json:"replacement_id,omitempty" bson:"replacement_id,omitempty"` // identifier used to manage credential replacement
Comment *string `json:"comment,omitempty" bson:"comment,omitempty"` // human-readable information about the issued credential, so it can be evaluated by human judgment. Follows DIDComm conventions for l10n.
GoalCode *string `json:"goal_code,omitempty" bson:"goal_code,omitempty"` // goal of the message
}
DIDCommV2IssueCredentialBody is part of the Issuer Credential DIDComm message: -replacement_id: an optional field that provides an identifier used to manage credential replacement.
When this value is present and matches the replacement_id of a previously issued credential, this credential may be considered as a replacement for that credential. This value is unique to the issuer. It must not be used in a credential presentation.
-comment: an optional field that provides human readable information about the issued credential, so it can be evaluated by human judgment. Follows DIDComm conventions for l10n. -goal_code: optional field that indicates the goal of the message. https://github.com/decentralized-identity/waci-presentation-exchange/blob/main/issue_credential/README.md
type DIDCommV2OfferCredentialBody ¶
type DIDCommV2OfferCredentialBody struct {
ReplacementID *string `json:"replacement_id,omitempty" bson:"replacement_id,omitempty"` // identifier used to manage credential replacement
Comment *string `json:"comment,omitempty" bson:"comment,omitempty"` // human-readable information about the issued credential, so it can be evaluated by human judgment. Follows DIDComm conventions for l10n.
GoalCode *string `json:"goal_code,omitempty" bson:"goal_code,omitempty"` // goal of the message
CredentialPreview *CredentialPreview `json:"credential_preview,omitempty" bson:"credential_preview,omitempty"` // credential data that Issuer is willing to issue. It matches the schema of Credential Preview;
}
DIDCommV2OfferCredentialBody is part of the Offer Credential DIDComm message A message sent by the Issuer to the potential Holder, describing the credential they intend to offer and possibly the price they expect to be paid. -credential_preview: a JSON-LD object that represents the credential data that Issuer is willing to issue. It matches the schema of Credential Preview; -replacement_id: an optional field that provides an identifier used to manage credential replacement.
When this value is present and matches the replacement_id of a previously issued credential, this credential may be considered as a replacement for that credential. This value is unique to the issuer. It must not be used in a credential presentation.
-comment: an optional field that provides human readable information about the issued credential, so it can be evaluated by human judgment. Follows DIDComm conventions for l10n. -goal_code: optional field that indicates the goal of the message. https://github.com/decentralized-identity/waci-presentation-exchange/blob/main/issue_credential/README.md
type DecodedRequestPayloadJAR ¶
type DecodedRequestPayloadJAR struct {
SoftwareID *string `json:"software_id,omitempty" bson:"software_id,omitempty"`
Audiences *string `json:"aud,omitempty" bson:"aud,omitempty"` // comma separated audiences
NotValidBefore int64 `json:"nbf,omitempty" bson:"nbf,omitempty"`
IssuedAt int64 `json:"iat,omitempty" bson:"iat,omitempty"`
// FAPI Object Payload fields: The request object SHALL contain an "exp" claim [FAPI Part 2, Section 5.2.2, Clause13].
Expiration int64 `json:"exp,omitempty" bson:"exp,omitempty"` // the expiration time of the JWT (it is not a string);
ResponseType *string `json:"response_type,omitempty" bson:"response_type,omitempty"` // e.g.: "code" or "access_token",
ResponseMode *string `json:"response_mode,omitempty" bson:"response_mode,omitempty"` // e.g.: "query.jwt", "fragment.jwt", "form_post.jwt", "jwt"
// Claims for OpenID "code" and "access_token" flow requests
ClientID *string `json:"client_id,omitempty" bson:"client_id,omitempty"`
Code *string `json:"code,omitempty" bson:"code,omitempty"`
CodeChallenge *string `json:"code_challenge,omitempty" bson:"code_challenge,omitempty"` // when requesting a code
CodeChallengeMethod *string `json:"code_challenge_method" bson:"code_challenge_method,omitempty"` // when requesting a code
CodeVerifier *string `json:"code_verifier,omitempty" bson:"code_verifier,omitempty"` // when requesting a token
GrantType *string `json:"grant_type,omitempty" bson:"grant_type,omitempty"` // when requesting a code, it MUST be set to "authorization_code".
RedirectURI *string `json:"redirect_uri,omitempty" bson:"redirect_uri,omitempty"`
Scope *string `json:"scope,omitempty" bson:"scope,omitempty"`
// Open ID additional request fields
State *string `json:"state,omitempty" bson:"state,omitempty"` // the state value as sent by the client in the authorization request (if applicable)
LocalesUI *string `json:"ui_locales,omitempty" bson:"ui_locales,omitempty"`
LoginHint *string `json:"login_hint,omitempty" bson:"login_hint,omitempty"`
Nonce *string `json:"nonce,omitempty" bson:"nonce,omitempty"`
// Subject is required when creating an install-code for a profile which is the employee DID
Subject *string `json:"sub,omitempty" bson:"sub,omitempty"`
JSONTokenID *string `json:"jti,omitempty" bson:"jti,omitempty"`
// DIDComm fields
// Bearer data will be in Body.Meta.Bearer and Attachments will be in each ResourceObject within the PrimaryDocument
Body PrimaryDocument `json:"body,omitempty" bson:"body,omitempty"` //
ThreadID *string `json:"thid,omitempty" bson:"thid,omitempty"` // thread of the message, to be used instead of the OpenID State.
To string `json:"to,omitempty" bson:"to,omitempty"` // OPTIONAL. Copy the "kid" field from the JWE header (recipient) of the body.request object before removing the encrypted request object in the body when storing on a DB's collection.
Type string `json:"type,omitempty" bson:"type,omitempty"` // The media type of the envelope MAY be set in the "typ" property
From string `json:"from,omitempty" bson:"from,omitempty"` // copy of the "skid" field from the JWE header (sender)
ID *string `json:"id,omitempty" bson:"id,omitempty"` // the ID is unique to the sender. If ThreadID is not specified then the ID is used as ThreadID.
ParentThread string `json:"pthid,omitempty" bson:"pthid,omitempty"` // OPTIONAL. In case of an access_token request it links to the ID of the "code" request in the OpenID Authentication Code flow.
}
DIDComm "created_time" is not used because it is the same as "nbf" (UTC Epoch Seconds) Note: the OpenID "id_token" (data) is the Response Document JARM, not the Request Object JAR (it is the response to an authentication request).
func DecodeAndCheckRequestCodeJAR ¶
func DecodeAndCheckRequestCodeJAR(compactJWT *string, recipientDidDocument *didDocumentUtils.DidDoc) (*DecodedRequestPayloadJAR, *string)
DecodeAndCheckRequestCodeJAR receives a decrypted compactJWT (JWS) and returns openidUtils.DecodedRequestPayloadJAR (or nil) and error message (or nil) after being checked. It checks header fields (valid "alg", "kid" is not empty, "to" match with didServiceEndpoint), It checks payload fields "iss" and "sub" match with issuerDidKid and subjectDidKid, also "exp" and "nbf" fields. Then the "response_mode", "aud" and "redirect_uri" fields can be checked by the parent function to see if they are allowed.
func DecodeAndCheckRequestJsonApiPayloadJAR ¶
func DecodeAndCheckRequestJsonApiPayloadJAR(compactJWT *string, recipientDidDoc *didDocumentUtils.DidDoc, expectedAudience string, requiredScopes []string) (*DecodedRequestPayloadJAR, *string)
DecodeAndCheckRequestJsonApiPayloadJAR receives a decrypted compactJWT (JWS) and returns openidUtils.DecodedRequestPayloadJAR (or nil) and error message (or nil) after being checked. It checks header fields (valid "alg", "kid" is not empty, "to" match with didServiceEndpoint), It checks payload fields "iss" and "sub" match with issuerDidKid and subjectDidKid, also "exp" and "nbf" fields. Then the "response_mode", "aud" and "redirect_uri" fields can be checked by the parent function to see if they are allowed.
func (*DecodedRequestPayloadJAR) GetBearer ¶
func (requestPayloadData *DecodedRequestPayloadJAR) GetBearer() joseUtils.DataJWT
func (*DecodedRequestPayloadJAR) GetBearerScope ¶
func (requestPayloadData *DecodedRequestPayloadJAR) GetBearerScope() string
func (*DecodedRequestPayloadJAR) GetBearerSubject ¶
func (requestPayloadData *DecodedRequestPayloadJAR) GetBearerSubject() string
func (*DecodedRequestPayloadJAR) ToJSON ¶
func (requestPayloadData *DecodedRequestPayloadJAR) ToJSON() map[string]interface{}
DecodedRequestPayloadJAR method removes the Body.Meta information (the decoded Bearer and DPoP tokens)
type ErrorObject ¶
type ErrorObject struct {
ID *string `json:"id,omitempty" bson:"id,omitempty"` // a unique identifier for this particular occurrence of the problem.
Links *[]JsonApiErrorLink `json:"links,omitempty" bson:"links,omitempty"` // a links object MAY contain about and type.
Status *string `json:"status,omitempty" bson:"status,omitempty"` // the HTTP status code applicable to this problem, expressed as a string value. This SHOULD be provided.
Code *string `json:"code,omitempty" bson:"code,omitempty"` // an application-specific error code, expressed as a string value.
Title *string `json:"title,omitempty" bson:"title,omitempty"` // a short, human-readable summary of the problem that SHOULD NOT change from occurrence to occurrence of the problem, except for purposes of localization.
Detail *string `json:"detail,omitempty" bson:"detail,omitempty"` // a human-readable explanation specific to this occurrence of the problem. Like title, this field’s value can be localized.
Source *JsonApiErrorSource `json:"source,omitempty" bson:"source,omitempty"` // an object containing references to the primary source of the error. It SHOULD include one of the following members or be omitted:
Meta *map[string]interface{} `json:"meta,omitempty" bson:"meta,omitempty"` // a metaObject containing non-standard meta-information about the error.
}
ErrorObject object MAY have the following members, and MUST contain at least one of: https://jsonapi.org/format/1.1/#error-objects
type JsonApiErrorLink ¶
type JsonApiErrorLink struct {
About string `json:"about,omitempty" bson:"about,omitempty"` // about: a link that leads to further details about this particular occurrence of the problem. When dereferenced, this URI SHOULD return a human-readable description of the error.
Type string `json:"type,omitempty" bson:"type,omitempty"` // type: a link that identifies the type of error that this particular error is an instance of. This URI SHOULD be dereferenceable to a human-readable explanation of the general error.
}
JsonApiErrorLink object MAY contain the following members: - about: a link that leads to further details about this particular occurrence of the problem. When dereferenced, this URI SHOULD return a human-readable description of the error. - type: a link that identifies the type of error that this particular error is an instance of. This URI SHOULD be dereferenceable to a human-readable explanation of the general error.
type JsonApiErrorSource ¶
type JsonApiErrorSource struct {
Pointer *string `json:"pointer,omitempty" bson:"pointer,omitempty"` // a JSON Pointer [RFC6901] to the value in the request document that caused the error [e.g. "/data" for a primary data object, or "/data/attributes/title" for a specific attribute]. This MUST point to a value in the request document that exists; if it does not, the client SHOULD simply ignore the pointer.
Parameter *string `json:"parameter,omitempty" bson:"parameter,omitempty"` // a string indicating which URI query parameter caused the error.
Header *string `json:"header,omitempty" bson:"header,omitempty"` // a string indicating the name of a single request header which caused the error.
}
JsonApiErrorSource SHOULD include one of pointer, parameter or header
type LinkObject ¶
type LinkObject struct {
}
A “link object” is an object that represents a web link.
A link object MUST contain the following member:
href: a string whose value is a URI-reference [RFC3986 Section 4.1] pointing to the link’s target.
A link object MAY also contain any of the following members:
rel: a string indicating the link’s relation type. The string MUST be a valid link relation type. describedby: a link to a description document (e.g. OpenAPI or JSON Schema) for the link target. title: a string which serves as a label for the destination of a link such that it can be used as a human-readable identifier (e.g., a menu entry). type: a string indicating the media type of the link’s target. hreflang: a string or an array of strings indicating the language(s) of the link’s target. An array of strings indicates that the link’s target is available in multiple languages. Each string MUST be a valid language tag [RFC5646]. meta: a metaObject containing non-standard meta-information about the link. Note: the type and hreflang members are only hints; the target resource is not guaranteed to be available in the indicated media type or language when the link is actually followed.
type NewProfileCodeAttributes ¶
type NewProfileCodeAttributes struct {
// ClientID will be set in the backend service before storing each individual profile code generation
// Expiration will be set in the backend service before storing each individual profile code generation
// The index in the collection will be the code_challenge (it is a unique hash)
// The decoded Bearer data will be in Body.Meta.Bearer
Audiences string `json:"aud,omitempty" bson:"aud,omitempty"` // reverseDNS of some app(s) allowed to activate the new profile code (comma separated).
CodeChallenge string `json:"code_challenge,omitempty" bson:"code_challenge,omitempty"` // It is a unique hash (hexadecimal) created from a unique code (UUID) with a length
CodeChallengeMethod string `json:"code_challenge_method" bson:"code_challenge_method,omitempty"` // SHALL be "S256"
ResponseType string `json:"response_type,omitempty" bson:"response_type,omitempty"` // SHALL be "code"
Scope string `json:"scope,omitempty" bson:"scope,omitempty"` // OPTIONAL
Subject string `json:"sub,omitempty" bson:"sub,omitempty"` // REQUIRED. This is the end-user (professional, patient, relatedPerson)
}
NewProfileCodeAttributes is created by a supervisor (admin) in a client app.
- the "aud" (required): reverseDNS of some app(s) allowed to activate the new profile code (comma separated if more than one).
- the "code_challenge" (required) field is the SHA-256 hash result of a random challenge generated by the client application, base64url encoded.
- the "code_challenge_method" (required) field value is "S256".
- the "subject" (REQUIRED) field refers in UHC to the target practitioner's DID when an admin is creating an install-code for a practitioner's profile
- the "scope" (OPTIONAL) field value is "openid".
- the "response_type" (required) field value contains "code". NOTE: Set the expiration period of the authorization code to one minute or a suitable short period of time if not replay is possible. The validity period may act as a cache control indicator of when to clear the authorization code cache if one is used.
type OpenidAccessTokenPayload ¶
type OpenidAccessTokenPayload struct {
}
type OpenidDpopHeader ¶
type OpenidDpopHeader struct {
}
The JOSE header of a DPoP JWT MUST contain at least the following parameters: - typ: with value dpop+jwt. - alg: a digital signature algorithm identifier as per [RFC7518]. MUST NOT be none or an identifier for a symmetric algorithm (MAC). - jwk: representing the public key chosen by the client, in JSON Web Key (JWK) [RFC7517] format, as defined in Section 4.1.3 of [RFC7515]. MUST NOT contain a private key. see https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html
type OpenidDpopPayload ¶
type OpenidDpopPayload struct {
}
The payload of a DPoP proof MUST contain at least the following claims: - jti: Unique identifier for the DPoP proof JWT. The value MUST be assigned such that there is a negligible probability that the same value will be assigned to any other DPoP proof used in the same context during the time window of validity. Such uniqueness can be accomplished by encoding (base64url or any other suitable encoding) at least 96 bits of pseudorandom data or by using a version 4 UUID string according to [RFC4122]. The jti can be used by the server for replay detection and prevention, see Section 11.1. - htm: The HttpHeaders method of the request to which the JWT is attached, as defined in [RFC7231]. - htu: The HttpHeaders request URI (Section 5.5 of [RFC7230]), without query and fragment parts. - iat: Creation timestamp of the JWT (Section 4.1.6 of [RFC7519]).When the DPoP proof is used in conjunction with the presentation of an access token, see Section 7, the DPoP proof MUST also contain the following claim: - ath: hash of the access token. The value MUST be the result of a base64url encoding (as defined in Section 2 of [RFC7515]) the SHA-256 [SHS] hash of the ASCII encoding of the associated access token's value.
type OpenidHttpPrivateData ¶
type OpenidHttpPrivateData struct {
HttpHeaders httpUtils.HttpPrivateHeadersOpenid `json:"httpHeaders,omitempty" bson:"httpHeaders,omitempty"`
}
OpenidHttpPrivateData contains HttpHeaders such as blockchainUtils.PrivateDataToSC
type OpenidIDTokenPayload ¶
type OpenidIDTokenPayload struct {
}
type OpenidRequestFormData ¶
type OpenidRequestFormData struct {
ClientID string `json:"client_id,omitempty" bson:"client_id,omitempty"` // the client ID is stored on a DB collection (e.g.: practitionerRole DID)
Request string `json:"request,omitempty" bson:"request,omitempty"` // Request with a JWE and nested JWS/JWT, it is not stored.
ResponseType string `json:"response_type,omitempty" bson:"response_type,omitempty"` // the response type is stored (e.g.: code, token)
Scope *string `json:"scope,omitempty" bson:"scope,omitempty"` // the scope is stored
}
OpenidRequestFormDataDecoded has client_id, response_type and scope outside the request object as per Oauth2 specifications.
type OpenidRequestMeta ¶
type OpenidRequestMeta struct {
Bearer *OpenidAccessTokenPayload `json:"bearer,omitempty" bson:"bearer,omitempty"`
DPoP *OpenidDpopPayload `json:"dpop,omitempty" bson:"dpop,omitempty"`
IDToken *OpenidIDTokenPayload `json:"idToken,omitempty" bson:"idToken,omitempty"`
}
Bearer.Header.iss should be the DID or the URL of the kid (better the DID to have the JWK Thumbprint in the logs).
type PayloadCodeRequestJWT ¶
type PayloadCodeRequestJWT struct {
// TODO: define all the fields, sorted alphabetically by the JSON field name.
Audience string `json:"aud,omitempty" bson:"aud,omitempty"`
ClientID string `json:"client_id,omitempty" bson:"client_id,omitempty"`
CodeChallenge string `json:"code_challenge,omitempty" bson:"code_challenge,omitempty"` // when requesting a code
CodeChallengeMethod string `json:"code_challenge_method" bson:"code_challenge_method,omitempty"` // when requesting a code
Expiration int64 `json:"exp,omitempty" bson:"exp,omitempty"` // end of the valid date (number of seconds from Unix epoch);
Issuer string `json:"iss,omitempty" bson:"iss,omitempty"`
JSONTokenID string `json:"jti,omitempty" bson:"jti,omitempty"`
NonValidBefore int64 `json:"nbf,omitempty" bson:"nbf,omitempty"` // start of the valid date (number of seconds from Unix epoch);
RedirectURI string `json:"redirect_uri,omitempty" bson:"redirect_uri,omitempty"`
ResponseMode string `json:"response_mode,omitempty" bson:"response_mode,omitempty"` // e.g.: "query.jwt", "fragment.jwt", "form_post.jwt", "jwt"
ResponseType string `json:"response_type,omitempty" bson:"response_type,omitempty"` // shall be "code"
Scope string `json:"scope,omitempty" bson:"scope,omitempty"`
Subject string `json:"sub,omitempty" bson:"sub,omitempty"`
ThreadID string `json:"thid,omitempty" bson:"thid,omitempty"` // thread of the message, used instead of the optional OpenID State.
To string `json:"to,omitempty" bson:"to,omitempty"` // OPTIONAL. Copy the "kid" field from the JWE header (recipient) of the body.request object before removing the encrypted request object in the body when storing on a DB's collection.
Type string `json:"type,omitempty" bson:"type,omitempty"` // The media type of the envelope MAY be set in the "typ" property
}
PayloadCodeRequestJWT receives from a client app the code challenge as part of the OAuth 2.0 Authorization Request. Note: the "id" field (required in DIDComm) is ignored in UHC because "jti" is used for back-guard compatibility with OpenID.
- the "type" (required in UHC) field is set in UHC as "code+jar" to predict the content of the message.
- the "body" (required in UHC) field can have protocol and application-level data as per the DIDComm specification, but it is not used in the standard HTTP OpenID Authorization Code request.
- the "subject" (required in UHC) field refers in UHC to the target practitioner's DID when an admin is creating an install-code for a practitioner's profile (rather than referring to the cryptographic identifier "client_id" of the requester).
- the "thid" (required in UHC): it is like the optional OpenID "state" field, but mandatory in the DIDComm specification.
- the "scope" (required) field value is "openid".
- the "response_type" (required) field value contains "code".
- the "response_mode" (required) field value is "jwt" (to get the default "query.jwt" redirect URL format) or "form_post.jwt", recommended in UHC.
- the "code_challenge_method" (required) field value is "S256".
- the "code_challenge" (required) field is the SHA-256 hash result of a random challenge generated by the client application, base64url encoded.
- the "nbf" (required) field is no longer than 60 minutes in the past.
- the "exp" (required) field has a lifetime of no longer than 60 minutes after the "nbf" field. NOTE: Set the expiration period of the authorization code to one minute or a suitable short period of time if not replay is possible. The validity period may act as a cache control indicator of when to clear the authorization code cache if one is used.
- the "iss" (required) field is the "client_id" of the OAuth Client (private_key_jwt authentication method as specified in section 9 of OIDC). The parameters required to create the professional's client app the "client_id" must be provided offline by the admin.
- the "client_id" (required) identifies in UHC the identifier of the cryptographic signature key (DID#kid URI) of the profile sending the request (the key ID of the wallet of an employee who performs a role in a concrete department)
- the "aud" in UHC identifies at the same time the "software_id" URL and the OP's Issuer Identifier URL as the intended Audience. The Authorization Server MUST verify that it is an intended audience.
- the "jti" field is a unique identifier for the JWT (JWT ID), which can be used to prevent reuse of the request (replay attacks).
- the "redirect_uri" (conditional) is required when using pushed authorization request (PAR).
func CreatePayloadForCodeRequestJWT ¶
func CreatePayloadForCodeRequestJWT(expirationSeconds int64, issuerDidKid, subjectDidKid, respMode, audience, redirectURI, payloadType string) (payload *PayloadCodeRequestJWT, codeVerifierBase64Url string)
CreatePayloadForCodeRequestJWT is used in the tests to call the `/authorization` endpoint. It returns payload (or nil) and codeVerifierBase64Url. It creates SHA256 checksum of 32 random bytes (challenge) in hex format (64 characters) to comply with the 43-128 characters long.
type PayloadJsonApiJWT ¶
type PayloadJsonApiJWT struct {
Audience string `json:"aud,omitempty" bson:"aud,omitempty"`
Body PrimaryDocument `json:"body,omitempty" bson:"body,omitempty"` // it has "data" with an array of one or more Resource Object(s)
ClientID string `json:"client_id,omitempty" bson:"client_id,omitempty"`
Expiration int64 `json:"exp,omitempty" bson:"exp,omitempty"` // end of the valid date (number of seconds from Unix epoch);
Issuer string `json:"iss,omitempty" bson:"iss,omitempty"`
JSONTokenID string `json:"jti,omitempty" bson:"jti,omitempty"`
NonValidBefore int64 `json:"nbf,omitempty" bson:"nbf,omitempty"` // start of the valid date (number of seconds from Unix epoch);
RedirectURI string `json:"redirect_uri,omitempty" bson:"redirect_uri,omitempty"`
ResponseMode string `json:"response_mode,omitempty" bson:"response_mode,omitempty"` // e.g.: "query.jwt", "fragment.jwt", "form_post.jwt", "jwt"
ResponseType string `json:"response_type,omitempty" bson:"response_type,omitempty"` // shall be "code"
Scope string `json:"scope,omitempty" bson:"scope,omitempty"`
Subject string `json:"sub,omitempty" bson:"sub,omitempty"`
ThreadID string `json:"thid,omitempty" bson:"thid,omitempty"` // thread of the message, used instead of the optional OpenID State.
To string `json:"to,omitempty" bson:"to,omitempty"` // OPTIONAL. Copy the "kid" property from the JWE header (recipient) of the body.request object before removing the encrypted request object in the body when storing on a DB's collection.
Type string `json:"type,omitempty" bson:"type,omitempty"` // The media type of the envelope MAY be set in the "typ" property
}
PayloadJsonApiJWT receives from a client app the code challenge as part of the OAuth 2.0 Authorization Request. Note: the "id" property (required in DIDComm) is ignored in UHC because "jti" is used for back-guard compatibility with OpenID.
- the "type" (required for DIDComm) property is set in UHC as "code+jar" or "profile-code+jar" to predict the content of the message.
- the "body" (required for DIDComm) property has a JSON:API Primary Document, which can include with one or more Resource Objects in the "data" property and one or more DIDComm "attachments" within each Resource Object.
- the "subject" (required in UHC) property refers in UHC to the target practitioner's DID when an admin is creating an install-code for a practitioner's profile (rather than referring to the cryptographic identifier "client_id" of the requester).
- the "thid" (required in UHC): it is like the optional OpenID "state" property, but mandatory in the DIDComm specification.
- the "scope" (required) property value is "openid".
- the "response_type" (required) property value contains "code".
- the "response_mode" (required) property value is "jwt" (to get the default "query.jwt" redirect URL format) or "form_post.jwt", recommended in UHC.
- the "nbf" (required) property is no longer than 60 minutes in the past.
- the "exp" (required) property has a lifetime of no longer than 60 minutes after the "nbf" property. NOTE: Set the expiration period of the authorization code to one minute or a suitable short period of time if not replay is possible. The validity period may act as a cache control indicator of when to clear the authorization code cache if one is used.
- the "iss" (required) property is the "client_id" of a wallet's DID#kid URI in a client application (*private_key_jwt* authentication method as specified in *section 9 of OIDC*).
- the "client_id" (required) identifies in UHC the identifier of the cryptographic signature key (DID#kid URI) of the profile sending the request (the key ID of the wallet of an employee who performs a role in a concrete department)
- the "aud" in UHC identifies at the same time the "software_id" URL and the OP's Issuer Identifier URL as the intended Audience. The Authorization Server MUST verify that it is an intended audience.
- the "jti" property is a unique identifier for the JWT (JWT ID), which can be used to prevent reuse of the request (replay attacks).
- the "redirect_uri" (conditional) is required when using pushed authorization request (PAR).
Note: the Audience "aud" property is in the Bearer access token but not in the payload when the request is not of type "code" or "token".
func CreatePayloadForJsonApiJWT ¶
func CreatePayloadForJsonApiJWT(expirationSeconds int64, clientAppSoftwareId, subjectDid string, resourceObjects []ResourceObject, audienceUrl, redirectURI string) (payload *PayloadJsonApiJWT)
CreatePayloadForJsonApiJWT is used in the tests to call the `/authorization` endpoint. It returns payload (or nil) and codeVerifierBase64Url. It creates SHA256 checksum of 32 random bytes (challenge) in hex format (64 characters) to comply with the 43-128 characters long.
type PayloadRegisterProfileRequestJWT ¶
type PayloadRegisterProfileRequestJWT struct {
SoftwareID string `json:"software_id,omitempty" bson:"software_id,omitempty"`
AudienceSlice string `json:"audience_slice,omitempty" bson:"audience_slice,omitempty"`
NotValidBefore int64 `json:"nbf,omitempty" bson:"nbf,omitempty"`
IssuedAt int64 `json:"iat,omitempty" bson:"iat,omitempty"`
JSONTokenID string `json:"jti,omitempty" bson:"jti,omitempty"`
}
type PayloadTokenRequestJWT ¶
type PayloadTokenRequestJWT struct {
// TODO: define all the fields, sorted alphabetically by the JSON field name.
Audience string `json:"aud,omitempty" bson:"aud,omitempty"`
ClientID string `json:"client_id,omitempty" bson:"client_id,omitempty"`
Code string `json:"code,omitempty" bson:"code,omitempty"` // when requesting a token
Expiration int64 `json:"exp,omitempty" bson:"exp,omitempty"` // end of the valid date (number of seconds from Unix epoch);
Issuer string `json:"iss,omitempty" bson:"iss,omitempty"`
JSONTokenID string `json:"jti,omitempty" bson:"jti,omitempty"`
NonValidBefore int64 `json:"nbf,omitempty" bson:"nbf,omitempty"` // start of the valid date (number of seconds from Unix epoch);
RedirectURI string `json:"redirect_uri,omitempty" bson:"redirect_uri,omitempty"`
ResponseMode string `json:"response_mode,omitempty" bson:"response_mode,omitempty"` // e.g.: "query.jwt", "fragment.jwt", "form_post.jwt", "jwt"
ResponseType string `json:"response_type,omitempty" bson:"response_type,omitempty"` // shall be "code"
Scope string `json:"scope,omitempty" bson:"scope,omitempty"`
Subject string `json:"sub,omitempty" bson:"sub,omitempty"`
ThreadID string `json:"thid,omitempty" bson:"thid,omitempty"` // thread of the message, used instead of the optional OpenID State.
To string `json:"to,omitempty" bson:"to,omitempty"` // OPTIONAL. Copy the "kid" field from the JWE header (recipient) of the body.request object before removing the encrypted request object in the body when storing on a DB's collection.
Type string `json:"type,omitempty" bson:"type,omitempty"` // The media type of the envelope MAY be set in the "typ" property
}
PayloadTokenRequestJWT receives from a client app the code challenge as part of the OAuth 2.0 Authorization Request. Note: the "id" field (required in DIDComm) is ignored in UHC because "jti" is used for back-guard compatibility with OpenID.
- the "type" (required in UHC) field is set in UHC as "code+jar" to predict the content of the message.
- the "body" (required in UHC) field can have protocol and application-level data as per the DIDComm specification, but it is not used in the standard HTTP OpenID Authorization Code request.
- the "subject" (required in UHC) field refers in UHC to the target practitioner's DID when an admin is creating an install-code for a practitioner's profile (rather than referring to the cryptographic identifier "client_id" of the requester).
- the "thid" (required in UHC): it is like the optional OpenID "state" field, but mandatory in the DIDComm specification.
- the "scope" (required) field value is "openid".
- the "response_type" (required) field value contains "code".
- the "response_mode" (required) field value is "jwt" (to get the default "query.jwt" redirect URL format) or "form_post.jwt", recommended in UHC.
- the "code" (required) field is the code previously generated by the /authorize endpoint.
- the "nbf" (required) field is no longer than 60 minutes in the past.
- the "exp" (required) field has a lifetime of no longer than 60 minutes after the "nbf" field. NOTE: Set the expiration period of the authorization code to one minute or a suitable short period of time if not replay is possible. The validity period may act as a cache control indicator of when to clear the authorization code cache if one is used.
- the "iss" (required) field is the "client_id" of the OAuth Client (private_key_jwt authentication method as specified in section 9 of OIDC). The parameters required to create the professional's client app the "client_id" must be provided offline by the admin.
- the "client_id" (required) identifies in UHC the identifier of the cryptographic signature key (DID#kid URI) of the profile sending the request (the key ID of the wallet of an employee who performs a role in a concrete department)
- the "aud" in UHC identifies at the same time the "software_id" URL and the OP's Issuer Identifier URL as the intended Audience. The Authorization Server MUST verify that it is an intended audience.
- the "jti" field is a unique identifier for the JWT (JWT ID), which can be used to prevent reuse of the request (replay attacks).
- the "redirect_uri" (conditional) is required when using pushed authorization request (PAR).
type PrimaryDocument ¶
type PrimaryDocument struct {
Data []ResourceObject `json:"data,omitempty" bson:"data,omitempty"`
Errors *[]ErrorObject `json:"errors,omitempty" bson:"errors,omitempty"`
// JARProtocol openidUtils.JARHeader `json:"jar,omitempty" bson:"jar,omitempty"` // JOSE Headers from the decoded JWE and JWT/JWS (nested JWT).
Meta DIDCommBodyMetaJAR `json:"meta,omitempty" bson:"meta,omitempty"`
}
PrimaryDocument MUST be at the body of every request and response DIDComm message containing data. The document MUST contain at least one of the following top-level members: - data: the document’s “primary data”. - errors: an array of error objects. - meta: a metaObject that contains non-standard meta-information. Additionally, any other member can be defined by an applied extension and the document MAY contain any of these top-level members: - jsonapi: an object describing the server’s implementation. - links: a links object related to the primary data. - included: an array of resource objects that are related to the primary data and/or each other (“included resources”).
type RequestData ¶
type ResourceObject ¶
type ResourceObject struct {
// using DIDComm "attachments" for the JSON:API resource
// and enabling compatibility with confidential storage ("sequence", "indexed", "jwe")
Attachments *[]AttachmentV2 `json:"attachments,omitempty" bson:"attachments,omitempty"`
Attributes map[string]interface{} `json:"attributes,omitempty" bson:"attributes,omitempty"`
DidData didDocumentUtils.DidData `json:"didData,omitempty" bson:"didData,omitempty"`
IdHashed string `json:"id,omitempty" bson:"id,omitempty"` // CAUTION, it is a hashed ID from the blockchain, not a valid UUID or DID.
Included []map[string]interface{} `json:"included,omitempty" bson:"included,omitempty"`
Meta *map[string]interface{} `json:"meta,omitempty" bson:"meta,omitempty"`
Relationships *map[string]interface{} `json:"relationships,omitempty" bson:"relationships,omitempty"`
Request *RequestData `json:"request,omitempty" bson:"request,omitempty"`
Type string `json:"type,omitempty" bson:"type,omitempty"` // internal resource type for the API
FullURL string `json:"fullUrl,omitempty" bson:"fullUrl,omitempty"` // added from FHIR Bundle.Entry specification
Resource map[string]interface{} `json:"resource,omitempty" bson:"resource,omitempty"` // added from FHIR Bundle.Entry specification
Sequence uint64 `json:"sequence,omitempty" bson:"sequence,omitempty"`
Indexed []models.IndexedAttributeCollection `json:"indexed,omitempty" bson:"indexed,omitempty"`
JWE json.RawMessage `json:"jwe,omitempty" bson:"jwe,omitempty"`
}
A ResourceObject MUST contain "attributes", "type" ("Department", "HealthcareService", "Office", "Employee", etc.) but also a DID ("didData.didDocument.id") and the created time
- attachments (Optional): additional data as DIDComm attachments
- attributes (Required): an attributes object representing some of the resource’s data.
- didData (Required): contains the DID at "didData.didDocument.id"
- id (Optional): CAUTION, it is an optional hashed ID from the blockchain, not a valid UUID or DID.
- meta (Optional): optional meta-information about a resource that can not be represented as an attribute or relationship.
- relationships: a relationships object describing relationships between the resource and other JSON:API resources.
- links: a links object containing links related to the resource.
- type (Required): internal resource type the request is about, e.g.: "Department", "HealthcareService", "Office", "Employee", "Profile", etc.
- fullURL (Optional): added from FHIR Bundle.Entry specification
- resource (Optional): added from FHIR Bundle.Entry specification
func (*ResourceObject) ExportToJSON ¶
func (resourceObject *ResourceObject) ExportToJSON() map[string]interface{}
FromJSON marshals the JSON data to bytes and then unmarshal the bytes to ResourceObject
func (*ResourceObject) FromJSON ¶
func (resourceObject *ResourceObject) FromJSON(dataJSON *map[string]interface{})
FromJSON marshals the JSON data to bytes and then unmarshal the bytes to ResourceObject
func (*ResourceObject) GetDID ¶
func (resourceObject *ResourceObject) GetDID() string
type ResponseDocumentPayloadBodyJARM ¶
type ResponseDocumentPayloadBodyJARM struct {
Data *[]map[string]interface{} `json:"data,omitempty" bson:"data,omitempty"` // an array of JSON:API Resource Objects.
Errors *[]ErrorObject `json:"errors,omitempty" bson:"errors,omitempty"` // an array of JSON:API Error Objects.
Meta *DIDCommBodyMetaJAR `json:"meta,omitempty" bson:"meta,omitempty"` // decoded "Bearer" access token and "DPoP".
Jsonapi *map[string]interface{} `json:"jsonapi,omitempty" bson:"jsonapi,omitempty"`
Links *[]LinkObject `json:"links,omitempty" bson:"links,omitempty"` // A "link object" is an object that represents a web link, related to the primary data.
Included *[]ResourceObject `json:"included,omitempty" bson:"included,omitempty"` // an array of resource objects that are related to the primary data and/or each other (“included resources”).
// difference with request:
HttpHeader *httpUtils.HttpResponseHeaders `json:"http,omitempty" bson:"http,omitempty"` // HTTP header fields (when sent by HTTP protocol).
}
ResponseDocumentPayloadBodyJARM is a JSON:API Primary Document which can have HTTP Headers and API Data. It MUST be at the body of every request / response DIDComm message containing data. It MUST contain at least one of the following top-level members:
- Data: the document’s "primary data" (see https://jsonapi.org/format/1.1/).
- Errors: an array of JSON:API Error objects.
- Meta: a Meta object that contains non-standard meta-information specific for the protocol, such as decoded "Bearer" and "DPoP" tokens. (they can be set when using bluetooth or decoded from tht HTTP Headers) and it is removed before creating a FormData (to be sent to an API). Note: "Data.Meta" can contain metadata for each resource object, distinct to this specific protocol's "Meta" data.
Additionally, any other member can be defined by an applied extension: - HttpHeader: HTTP response header fields (e.g.: Authorization, DPoP, Content-Type). The document MAY contain any of these top-level members: - jsonapi: an object describing the server’s implementation. - links: a links object related to the primary data. - included: an array of resource objects that are related to the primary data and/or each other (“included resources”).
type ResponseDocumentPayloadJARM ¶
type ResponseDocumentPayloadJARM struct {
// OpenID JARM mandatory fields
Audience string `json:"aud"` // the API(s) the JWT is intended for (it is converted to a space separated string)
Expiration int64 `json:"exp"` // the expiration time of the JWT (it is not a string);
Issuer string `json:"iss"` // the issuer URL of the authorization server that created the response
// OpenID Error fields
Error *string `json:"error,omitempty"` // OpenID Authentication error: https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1
ErrorDescription *string `json:"error_description,omitempty"` // a human-readable description of the error
ErrorURI *string `json:"error_uri,omitempty"` // a URI identifying a human-readable web page with information about the error (e.g.: with info for developers)
// OpenID Code flow response fields
Code *string `json:"code,omitempty"`
IssuedAt *int64 `json:"iat,omitempty"`
JSONTokenID *string `json:"jti,omitempty"`
NotBefore *int64 `json:"nbf,omitempty"`
Scope *string `json:"scope,omitempty"`
// OpenID AccessToken flow response fields
AccessToken *string `json:"access_token,omitempty"`
ExpiresIn *int64 `json:"expires_in,omitempty"`
IdToken *string `json:"id_token,omitempty"`
RefreshToken *string `json:"refresh_token,omitempty"`
TokenType *string `json:"token_type,omitempty"`
// Open ID Additional fields
State *string `json:"state,omitempty"` // the state value as sent by the client in the authorization request (if applicable)
// DIDComm fields
// Attachments *[]didCommunicationUtils.DIDComm
Body ResponseDocumentPayloadBodyJARM
MediaType *string `json:"typ,omitempty"`
}
ResponseDocumentPayloadJARM is the payload of the JWT Response Document utilized to secure the transmission: - Audience: the client_id of the client the response is intended for (it is not an array of strings); - Expiration: expiration of the JWT (it is not a string); - Issuer: the issuer URL of the authorization server that created the response; - HttpHeaders Status-Code; - State - the state value as sent by the client in the authorization request (if applicable); - the result Data from the API (see https://jsonapi.org/format/1.1/#document-top-level) - OR the Error response data as per the OpenID JARM error response parameters defined in RFC6749 section 4.1.2.1 (see JARM at https://bitbucket.org/openid/fapi/src/master) with the Error code and optional ErrorDescription and ErrorURI.
func (*ResponseDocumentPayloadJARM) ToJSON ¶
func (responsePayloadData *ResponseDocumentPayloadJARM) ToJSON() map[string]interface{}
Source Files
¶
- common.go
- didComm.go
- didCommV2.model.go
- headerJWE.go
- headerJWS.go
- jsonApiPrimaryDoc.model.go
- jsonApiResourceObject.go
- msgIssueCredential.go
- requestCodeJWT.go
- requestCodePayload.go
- requestDCR.go
- requestJAR.go
- requestJsonApi.go
- requestJsonApiPayload.go
- requestNewProfileCode.go
- requestRegisterProfile.go
- requestTokenPayload.go
- responseJARM.go