Authorization Tokens in APIHub
A period when the community can review the RFC (comment Docs).
Document Maintainers: Andi Gabriel Tan 2024. List of other contributors in Annex. 1.
Copyright: MIT license
Copyright © 2018-2024 Axiologic Research and Contributors. This document is licensed under MIT license.
- Authorization Tokens in APIHub
- Abstract
- 1. APIHub as an OpenDSU Cloud Agent
- 2. Type of Wallets
- Annex 1. Contributors
Abstract
1. APIHub as an OpenDSU Cloud Agent
1.1.Token-based authorization in APIHub
1.2. KeySSI-based JWT Tokens
The JWT signature is computed in two steps:
- Obtain the hash of the JWT Header and the Payload.
- Sign the hash with the private key of the “iss” obtained from the SeedSSI.
| JWT Header Fields | Details |
|---|---|
| Typ (Token type) | Set to “SeedSSIJWT |
https://en.wikipedia.org/wiki/JSON_Web_Token
| JWT Payload Fields | Details |
|---|---|
| sub | Set to the identifier of the user owning the SeedSSI used for issuing the token |
| aud | The Audience field is a hash used to verify that the token is authentic and was not reused. The “aud” field is obtained by applying the hash function to a string obtaining by concatenating the URL that is under the authorisation |
| iss | The sReadSSI used for signing (the JWT Issuer) |
| iat | Issued At Time claim |
| nbf | Not Before Time |
| exp | Expiration Time |
1.2.1. Threat model
- Improperly signed JWT Token
- Stolen SeedSSI used to create valid JWT Tokens
- Stolen JWT Token
- Corrupted APIHub
1.2.2.Relevant APIs in OpenDSU SDK
| API | Description | API family |
|---|---|---|
| createJWT | createJWT(issuer:SeedSSI, scope:string,credentials:array, options, callback) Returns: a valid JWT token signed by the SeedSSI | crypto |
| verifyJWT | verifyJWT(JWT, rootOfTrustVerificationStrategy, callback) Returns: calls the callback with success (true) or error | crypto |
| createCredential | createCredential(issuer:SeedSSI,credentialSubject, callback) | |
| createAuthToken | createAuthToken(seedSSI, scope, credential, callback) | |
| verifyAuthToken | verifyAuthToken (jwt,listOfIssuers, callback) |
skipAuthorisation: [“bricks/get-brick/epi”,“bricks/get-brick/:ssi:zsa:epi:”]
| KeySSIs | |
|---|---|
| Authorisation SSI | Signed |
| User SSI |
| Tokens | |
|---|---|
| User Credentials | Signed by Authorisation SSI Binds User SSI (contains User sRead SSI) |
| Authentication Token | Signed by User SSI Binds User Credentials |
2. Type of Wallets
2.1. SeedSSI Wallet
2.2. SecretSSI Wallets
Contributors
-
Axiologic Research: New content and improvements. Original texts under PharmaLedger Association and Novartis funding. MIT licensed content accordingly with the contracts. Publish and maintain the www.opendsu.org site.
-
PharmaLedger Project: Review, feedback, observations, new content, and corrections MIT licensed accordingly with the consortium agreements.
- PrivateSky Research Project: MIT licensed content accordingly with the contracts. https://profs.info.uaic.ro/~ads/PrivateSky/
Annex 1. Contributors
| Current Editors | |
|---|---|
| Andi-Gabriel Țan | andi@axiologic.net |
| Contributors Axiologic Research | |
| Adrian Ganga | adrian@axiologic.net |
| Andi-Gabriel Țan | andi@axiologic.net |
| Cosmin Ursache | cosmin@axiologic.net |
| Daniel Sava | daniel@axiologic.net |
| Nicoleta Mihalache | nicoleta@axiologic.net |
| Valentin Gérard | valentin@axiologic.net |
| PrivateSky Contributors | |
| Alex Sofronie | alsofronie@gmail.com (DPO) |
| Cosmin Ursache | cos.ursache@gmail.com (UAIC) |
| Daniel Sava | sava.dumitru.daniel@gmail.com (HVS, AQS) |
| Daniel Visoiu | visoiu.daniel.g@gmail.com (SGiant) |
| Lenuța Alboaie | lalboaie@gmail.com (UAIC) |
| Rafael Mastaleru | rafael@rms.ro (RMS) |
| Sînică Alboaie | salboaie@gmail.com (UAIC) |
| Vlad Balmos | vlad.balmos@gmail.com (Code932) |
| PharmaLedger Contributors | |
| Ana Balan | bam@rms.ro (RMS) |
| Bogdan Mastahac | mab@rms.ro (RMS) |
| Cosmin Ursache | cos@rms.ro (RMS) |
| Rafael Mastaleru | raf@rms.ro (RMS) |