Authentication module

[javiesses]

• Reducer
  • Reducer tests
• Operations
  • Operations tests POC (are commented to prevent breaking CircleCI tests, they point to a local server)
  • Operations unit tests with mocked server

The base of the PR is #46 to make it easier to compare the changes, will be changed once that PR is merged

[ilanolkies]

We should create this closure outside serviceLoginFactory closure

[javiesses]

I left them inside the serviceAuthenticationFactory because they depends on some variables that are received by the parent function. Do you think I should move them outside and send the needed params? I'm talking about did and serviceDid.

[ilanolkies]

We can curry them

[ilanolkies]

Same here

[ilanolkies]

Do you think we should use credential model here or just a signed jwt? I think using just a jwt to respond here makes it simpler and it has the same effect, signing the challenge.

[javiesses]

I partially agree on that. It's true that it will become simpler to create just a signed JWT instead of a VC, but take in account that daf-w3c already has an action handler to build those VCs, and if we want to sign a JWT we should build an action handler to do that within daf-did-jwt because it is not created yet, or use directly did-jwt package with no agent involved, we just need to obtain the signer from it.
I think is cleaner to create a daf-did-jwt action handler inside rif-id-daf package

[javiesses]

In another hand, if we change the type of the JWT we should change the auth package as well, it is expecting the challenge inside a W3C VC
https://github.com/rsksmart/rif-identity-services/blob/cc4b183b9dc3d60e958be1da87afeafb87aba9ad/rif-id-jwt-auth/src/index.js#L76-L78

[ilanolkies]

we should build an action handler to do that within daf-did-jwt

that's a bummer...

I think is cleaner to create a daf-did-jwt action handler inside rif-id-daf package

I would rise an issue in uPort project to see if they are interested in merging this, what do you think?

we should change the auth package as well

IMHO it worths it

---

Anyway, before taking any desicion let's think a little bit better on this interface. I guess a good extension in the future will include some credentials in this step

1. User requests access
2. Services sends a token and a selective disclosure request
3. User fills request with declarative details and/or presentations + challange
4. Service grants access and gives credential to user, probably including metadata taken from the request response.

[javiesses]

Based on what we already agreed, let's do the following:

1. User requests access
2. Service sends a challenge
3. Users signs a VP with the received challenge in the VP metadata. The user should include the needed VC inside that VP, if the service does not require any VC, it should send an empty array
4. Service validates the challenge and performs the needed business validations with the received VCs
5. If all the validations pass, the service creates a VC and sends it JWT representation to the user
6. User uses the received VC to authenticate each request to the service

Remarks:

• Why the user needs to include VCs in the authentication process? Because the service may need to verify some business logic before granting access, for instance, that the user is older than 18 years old
• Why the user will authenticate with the received VC and not with a ad hoc VP for each request? Because there is not added value by doing that and it needs an extra signing step with no sense

[javiesses]

Created a new issue in rif-identity-services

[ilanolkies]

I would use the name “authenticate” instead of “login”, it describes better what this is doing. What do you think about this?

[javiesses]

Yep! Sounds better

[ilanolkies]

Let’s test the state after the error is thrown. It should be same than before throwing. Adding issue to add it in this one and in the other operations tests