digital-credentials icon indicating copy to clipboard operation
digital-credentials copied to clipboard

Published 20 hours ago verified publisher icon WICG

parameters not specific to the credential format

Open Sakurann opened this issue 2 years ago • 2 comments

in the reconciliation example, nonce is duplicated in mdoc and federated, and readerPublicKey are included only in mdoc. since nonce and probably readerPublicKey should be present in vc too, those parameters should be treated as credential format specific.

So examples for MDocs and FedCM could look like below:

MDocs

// Gets a CBOR with specific fields out of mobile driver's license as an mdoc
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      nonce: "gf69kepV+m5tGxUIsFtLi6pwg=",
      readerPublicKey: "ftl+VEHPB17r2 ... Nioc9QZ7X/6w...",
      mdoc: {
        retention: {
          days: 90,
        },
        documentType: "org.iso.18013.5.1.mDL",
        requestedElements: [
          { namespace: "org.iso.18013.5.1", name: "document_number" },
          { namespace: "org.iso.18013.5.1", name: "portrait" },
          { namespace: "org.iso.18013.5.1", name: "driving_privileges" },
          { namespace: "org.iso.18013.5.1.aamva", name: "organ_donor" },
        ],
      }
    }],
  }
});

FedCM

// Gets a JWT from a OIDC provider. 
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      nonce: "m5tGxUIsFtLi6pwg",
      federated: {
        configURL: "https://university.edu/students",
        clientId: "123"
      }
    }]
  }
});

Sakurann avatar Apr 28 '23 05:04 Sakurann

Ah yeah, good point.

Since you kicked this off, we introduced a params object, which is a grab-bag of key-value pairs that is sent to wallets (and OIDC providers) after selection, which can contain anything that the RP may want to send to the wallet/idp. The intuition is that that's where nonce and readerPublicKey can live, because these aren't things that the browser cares about.

So, for example:

// Gets a CBOR with specific fields out of mobile driver's license as an mdoc
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      holder: {
        selector: {
          retention: {days: 90},
          doctype: "org.iso.18013.5.1.mDL",
          fields: [
            "org.iso.18013.5.1.document_number",
            "org.iso.18013.5.1.portrait",
            "org.iso.18013.5.1.driving_privileges",
            "org.iso.18013.5.1.aamva.organ_donor",
          ],
        },
        params: {
          nonce: "gf69kepV+m5tGxUIsFtLi6pwg=",
          readerPublicKey: "ftl+VEHPB17r2 ... Nioc9QZ7X/6w...",
        }
      }
    }],
  }
});

and

// Gets a JWT from a OIDC provider. 
const {response} = await navigator.credentials.get({
  identity: {
    providers: [{
      federated: {
        configURL: "https://university.edu/students",
        clientId: "123",
        params: {
          nonce: "m5tGxUIsFtLi6pwg"
        }
      }
    }]
  }
}

Would that work?

samuelgoto avatar Sep 29 '23 17:09 samuelgoto

is nonce the same as WebAuthN challenge? or can nonce be an arbitrary length string (like a JWS or JWE).

are the params always limited to the "holder" concept, or are they values that are not controlled by the holder?

OR13 avatar Oct 05 '23 17:10 OR13

closing this one since based it was based on the old proposal and with the new proposal, i believe this issue does not exist anymore

Sakurann avatar Aug 01 '24 18:08 Sakurann