Feat/dc api workflow #19
Conversation
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
| > | ||
| {{ | ||
| $t("dcApiSwitchMethod") || | ||
| "Use a different verification method" |
There was a problem hiding this comment.
TODO: Need to identify if there is a way to fallback to annex b and if annex c/d is not supported for a device. (e.g., bluetooth, browser experimental flags, etc.).
There was a problem hiding this comment.
Yes, this is a good point for discussion. I think it is a solvable question, though it would be a great starting point to identify what specific device we should use to test this approach to see how much effort should be invested in it.
The general paradigm for opencred is that each session is an "exchange" for a particular workflow backend but that different wallet interaction methods could be used to facilitate that workflow backend's processing. Switching back to the oid4vp "native" backend from inside a request for a "dc-api" backend would slightly break that paradigm, but I imagine the DcApi workflow backend could manage some fallback processing using the code from the native backend, with some refactoring. If we end up needing to do it.
| const payload = { | ||
| iss: config.server.baseUri, | ||
| aud: rp.clientId, | ||
| sub: subject || exchange.id, |
There was a problem hiding this comment.
Need to identify what the subject should be. It may not be guaranteed that the document number would be requested by a relying party.
Need to identify if this JWT construction is correct.
@Ryanmtate seems like some of the files in the PR have a bunch of formatting changes to use double quotes and changed spacing. Generally preferable to split linting/formatting changes out into their own PRs but sometimes it's not practical, so I'm willing to consider it here, but maybe you could relint the config.js file and a couple others to ensure that the eslint config changes are working against the current "DB style" approach. Our team is using MacOS or Unix systems generally, so it wouldn't be a surprise if there is a little formatting consistency work to do to enable clean collaboration with windows user developers. |
|
Yes, thank you, this was an IDE configuration, which doesn't seem to be pulling in the eslint config. I will see if I can revert these formatting changes. |
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
|
I ran eslint against the project and resolved the linting errors. I still see formatting changes to the .vue exchange layout file, maybe there is another linter for vue being used? |
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
The eslint setup does lint .vue files via the eslint-config-digitalbazaar/vue3 rules. It's going to enforce the same js style there and and check for other vue issues. Looks like those files were changed to another style with different quotes, indents, and so on. A future opinionated style issue is that the next version of digitalbazaar eslint config checks for no trailing commas. I notice many being added here. Configurable of course, but that's the direction we went for consistency vs no rule and mixed syntax. |
ottonomy
left a comment
ottonomy
left a comment
There was a problem hiding this comment.
Thanks again for submitting this. I will plan on finishing processing this into an OlenCred update that also simplifies the config structure that I've been preparing. I took some notes on the integration points for me as I work.
I'll especially be looking at removing the secondary exchange creation for session purposes. There was another case of such a thing already in OpenCred, and they should probably both go away for more database efficiency. I'm sure I'll discover what you mean more specifically by limitations in the session lifecycle that caused you to go this direction. It seems like it's not a data type issue but maybe more like something about not exposing some private server side data to the client?
Some of the comments in this review are likely incorrect or etc, mostly pointers for my notes as I integrate.
| // Default to 1 hour | ||
| const expirySeconds = rp.idTokenExpirySeconds || 3600; | ||
|
|
||
| const subject = stepResults.response['org.iso.18013.5.1'].document_number; |
There was a problem hiding this comment.
Danger with non happy path payloads
| const stepResults = exchange.variables.results[stepResultKey]; | ||
|
|
||
| // Handle DC API workflow differently | ||
| if(rp.workflow?.type === 'dc-api' && !!stepResults) { |
There was a problem hiding this comment.
Break out into testable function to generate the payload for dc API
| } | ||
|
|
||
| async initDcApi() { | ||
| const rp = config.opencred.relyingParties.find( |
There was a problem hiding this comment.
There may be multiple rps of this type, rp assignment should be done at request time in auth/middleware.
| rp?.workflow?.baseUrl, | ||
| submissionEndpoint, | ||
| referenceEndpoint, | ||
| encoder.encode(config.opencred.caStore[0]), |
There was a problem hiding this comment.
Find appropriate specific cert, probably at request time associated with a specific RP. The session store is probably the thing that needs to happen first.
| const rp = req.rp; | ||
| const exchange = await this.getExchange({rp, id: req.params.exchangeId}); | ||
|
|
||
| logUtils.presentationStart(rp?.clientId, exchange?.id); |
There was a problem hiding this comment.
Move after next line and check log lifecycle for consistency here
| emit("overrideActive"); | ||
| }; | ||
| const switchToOtherMethod = () => { |
There was a problem hiding this comment.
Improve this to only use available methods for the workflow type
| <p class="text-lg text-green-600 mb-6"> | ||
| {{ successMessage }} | ||
| </p> | ||
| <div class="mt-6"> |
There was a problem hiding this comment.
Only if on loginview, handle with events, don't show button if not possible
| }; | ||
| const handleGoBack = () => { | ||
| emit("overrideActive"); |
There was a problem hiding this comment.
Make sure this is right for "go back"
| :style="{ color: brand.primary }" | ||
| @click="switchToOtherMethod" | ||
| > | ||
| {{ $t("dcApiTryAnotherWay") || "Try another way" }} |
There was a problem hiding this comment.
Todo, define and test fallback
| state.currentUXMethodIndex = openid4vpIndex; | ||
| } | ||
| } | ||
| // For other workflow types, keep default (first protocol in the list) |
There was a problem hiding this comment.
Clean up to only display possible options for the RP and choose best one first
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
3 participants
This pull request adds support for a new "DC API" workflow type to the OpenCred platform, enabling Digital Credential API-based verification flows. It introduces a new relying party configuration for DC API, updates the JWT generation logic to handle DC API responses, and adds related configuration, validation, and localization changes.
DC API Workflow Support
dc-apiworkflow type in the configuration (WorkflowType.DcApi) and included it in the list of available exchange protocols. [1] [2]combined.example.yaml.JWT Generation Enhancements
jwtFromExchangeincommon/jwt.jsto generate JWTs for DC API workflows, extracting relevant fields from the DC API response and including verification status and errors as claims.Localization and UI
General Configuration
Added an example config for dc api workflow.