vc-authn-oidc icon indicating copy to clipboard operation
vc-authn-oidc copied to clipboard

Published 20 hours ago verified publisher icon bcgov

Do not return vc claims as root-level properties of the JWT

Open esune opened this issue 4 years ago • 6 comments

After successfully responding to a proof-request, vc-authn will compile a JWT which contains all of the attribute values that were received when responding to the proof-request.

It would be best to wrap all of those attributes in an object (e.g.: presented_attribute_values) in order to facilitate integration with third-party AIM systems such as Keycloak. This would only require setting-up the IdP mappers once, to support pres_req_conf_id and presented_attributes_values and delegate to each client which attributes to process.

In the current state, when a new proof-request needs to be processed by the IdP, new mappers for the new claims will need to be set-up each time.

esune avatar Feb 20 '21 20:02 esune

Clever!

swcurran avatar Feb 20 '21 21:02 swcurran

@swcurran @WadeBarnes as we onboard more users to the shared service we definitely want to prioritize and get this done sooner rather than later. While this is not a deal breaker if the new teams have their own Keycloak realms and deal with their own mappers, it becomes pressing when (e.g.: our demo environments) the same Keycloak real is used by more than one application and there is more than one type of VC returned. Keycloak can still handle individual values by using mappers that drill down into the nested object, but for a "general" use just grabbing the property holding the map of values seems like a no brainer to me.

esune avatar Jul 19 '21 16:07 esune

This is work inside vc-authn-oidc, correct? Presumably in the .NET code that was originally done by Mattr.

We would have to release this as a 2.0, in case others are using this. Or make it an option.

I think we find someone to do this, and then have them sit down with you to go through what it will take.

swcurran avatar Jul 22 '21 00:07 swcurran

Yes, this is in the code. It shouldn't be a hard change, really. I agree about releasing it in a retro-compatible way: I would suggest adding the property containing all attributes alongside the root-level claims for now, and phasing out the root-level claims later on in a future release. We have never really released vc-authn before so it might be worth tagging a 1.0 release before we merge the change, and then 2.0 once we remove the old root-level attributes.

esune avatar Jul 22 '21 17:07 esune

Has anyone been assigned to do this or has it been tackled yet?

DibbsZA avatar Nov 07 '21 09:11 DibbsZA

Has anyone been assigned to do this or has it been tackled yet?

Not yet, we have not gotten around to prioritizing/completing this. If you can/want to submit a PR with the relevant change we'd be happy to review it!

esune avatar Nov 08 '21 16:11 esune

Added the 2.0 label as this feature will likely get puhed to the next version (currently WIP) of vc-authn.

Ideally, we would return any claim matching standard OIDC claims (username, email) at the root level as well as inside the presented_attributes object.

esune avatar Jan 18 '23 20:01 esune

Resolved in #214 with top-level key vc_presented_attributes.

Jsyro avatar Feb 14 '23 19:02 Jsyro