@identity.com/dsr

    3.0.0 • Public • Published

    Dynamic Scope Request Javascript Library

    CircleCI npm (scoped)

    Summary

    The Dynamic Scope Request (DSR) javascript library provides capability around securely requesting credential information between a ID Requester and an ID Holder.

    DSR are part of the ecossystem of identity.com providing an standardized way for an Identity Requester to inquiry for PII on the form of Verifiable Credentials (W3C link for Verifiable Credentials). DSR resolution is the process which allow to check if an set of Verifiable Credentials matches the specified constraints on the DSR (the constraints can be reduced to claims instead of the whole credential).

    Contents

    Usage

    Config

    This library depends on some configuration settings to work properly. The configuration is made in four different ways that override each other - etc config file, user config file, environment's variables, in code - and consists of the following settings:

    • PARTNER_ID: Partner Unique Identifier
    • PARTNER_XPUB: Partner Signing Public Key
    • PARTNER_XPRV: Partner Signing Public Key
    • APP_ID: Partner Application Identifier
    • APP_NAME: Application Name to show to the user
    • APP_LOGO_URL: Application Logo to show to the user (https required)
    • APP_DESCRIPTION: Application Logo to show to the user
    • APP_PRIMARY_COLOR: Application main color to show to the user
    • APP_SECONDARY_COLOR: Application text color to show to the user
    • BASE_EVENT_URL: base endpoint to receive ScopeRequest events (https required)
    • BASE_PAYLOAD_URL: base endpoint to receive ScopeRequest payload (https required)

    Create ScopeRequest

    ScopeRequest(uniqueId: String, credentialItems: Array, channelsConfig: Object, appConfig: Object, partnerConfig: Object)

    ChannelsConfig

    {
      "type": "object",
      "properties": {
        "eventsURL": {
          "type": "string",
          "examples": [
            "https://..."
          ]
        },
        "payloadURL": {
          "type": "string",
          "examples": [
            "https://..."
          ]
        }
      }
    }

    AppConfig

    {
      "type": "object",
      "properties": {
        "id": {
          "type": "string",
          "examples": [
            "12as-322222-22"
          ]
        },
        "name": {
          "type": "string",
          "examples": [
            "The App"
          ]
        },
        "logo": {
          "type": "string",
          "examples": [
            "https://"
          ]
        },
        "description": {
          "type": "string",
          "examples": [
            "Cool App"
          ]
        },
        "primaryColor": {
          "type": "string",
          "examples": [
            "AADFBC"
          ]
        },
        "secondaryColor": {
          "type": "string",
          "examples": [
            "AAEEFD"
          ]
        }
      }
    }

    Build a signed ScopeRequest request body

    Once you constructed a valid ScopeRequest object you can use the helper function buildSignedRequestBody to create a signed request body using the requester in the config.

    buildSignedRequestBody(scopeRequest)

    returns

    {
    	"payload": "[Object]",
    	"signature": "<valid signature>",
    	"algorithm": "ES256",
    	"xpub": "<public key pair that can be used to compare with a pinned one>"
    }

    Build a signed ScopeRequest request body

    To verify a signed request body you can use the helper function verifySignedRequestBody passing a parsed body object.

    verifySignedRequestBody(body, pinnedXpub)

    pinnedXpub parameters is optional, but recomended to avoid man in the middle attacks.

    return true is the body is valid

    Utils

    Some helper functions to easy the DSR and verifiable credentials usage

    Check if a scopeRequest RESPONSE fulfill the credentials constrains on the request

    /**
       *
       * @param credentialItems - A list of credentialItems to check
       * @param request - Original ScopeRequest
       * @return {boolean}
       */
      static async credentialsMatchesRequest(credentialItems, request)
      
      //Example
      await ScopeRequest.credentialsMatchesRequest(credentialItems, dsr);  

    Install

    Prerequisites

    Installation instructions

    First run:

    npm install

    Then install airbnb eslint peer dependencies (npm 5+):

    npx install-peerdeps --dev eslint-config-airbnb

    Test

    This library has jest configured, run the command for testing:

    npm run test

    For watching tests while developing, open an terminal and run the command:

    npm run test:watch

    Publishing schemas

    The dsr-js library has a script, avaiable in the package.json, to publish the generate schemas to a bucket in AWS. The following command will publish the schemas:

    S3_BUCKET_SCHEMA_URL=<s3://your-bucket-url> npm run publish-schemas

    There is also a script to check the published schemas:

    S3_PUBLIC_SCHEMA_URL=<http://your-schem-url> npm run check-schemas

    To publish and check the schemas it is required to have the environment variables for AWS credentials defined (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY).

    Examples

    Simple Unresolved DSR Request with Global Identifiers

    Running this DSR:

    {
      "version": "1",
      "timestamp": "2018-07-04T00:11:55.698Z",
      "requesterInfo": {
        "requesterId": "3735a5b4-8a1f-11e8-9a94-a6cf71072f73",
        "app": {
          "id": "3cc295aa-8a1f-11e8-9a94-a6cf71072f73",
          "name": "App Name",
          "logo": "https://server/path/logo.png",
          "description": "App Description",
          "primaryColor": "2345EE",
          "secondaryColor": "2345FF"
        }
      },
      "channels": {
        "eventsURL": "https://server/events/UUID",
        "payloadURL": "https://server/payload/UUID"
      },
      "credentialItems": [
        "credential-civ:Credential:Address-1"
      ],
      "authorization": {
        "jwt": "<EXPIRABLE-TOKEN-SIGNING-EXACT_REQUEST>"
      }
    }

    Against an VC (this is a partial VC json) that has:

    {
      "identifier": "credential-civ:Credential:Address-1",
      "claims": {
        "type": {
          "address": {
            "city": "j7e2uJWSvw",
            "country": "4l63DP8E4l",
            "county": "PKve4XPrkn",
            "state": "f1hdWTntvk",
            "street": "vDOqAOSz69",
            "unit": "ZvosZqh3Nd",
            "zipCode": "TVouidgvJb"
          }
        }
      }
    }

    Should return that VC, since it's identifier is of the type of the global Identifier.

    Complex Unresolved DSR Request

    Running this DSR:

    {
      "version": "1",
      "timestamp": "2018-07-04T00:11:55.698Z",
      "requesterInfo": {
        "requesterId": "3735a5b4-8a1f-11e8-9a94-a6cf71072f73",
        "app": {
          "id": "3cc295aa-8a1f-11e8-9a94-a6cf71072f73",
          "name": "App Name",
          "logo": "https://server/path/logo.png",
          "description": "App Description",
          "primaryColor": "2345EE",
          "secondaryColor": "2345FF"
        }
      },
      "channels": {
        "eventsURL": "https://server/events/UUID",
        "payloadURL": "https://server/payload/UUID"
      },
      "credentialItems": [
        {
          "identifier": "claim-cvc:Identity:name-1",
          "constraints": {
            "claims": [
              { "path": "name.first", "is": {"$eq": "pgbXa8A3QI"} }
            ]
          }
        }
      ],
      "authorization": {
        "jwt": "<EXPIRABLE-TOKEN-SIGNING-EXACT_REQUEST>"
      }
    }
    

    Against an VC like this:

    {
      "identifier": "credential-civ:Credential:Address-1",
      "claims": {
        "type": {
          "address": {
            "city": "j7e2uJWSvw",
            "country": "4l63DP8E4l",
            "county": "PKve4XPrkn",
            "state": "f1hdWTntvk",
            "street": "vDOqAOSz69",
            "unit": "ZvosZqh3Nd",
            "zipCode": "TVouidgvJb"
          }
        }
      }
    }

    Should return an empty array, since we are asking for Identity:name, and this is of the type Address

    But if we run against this:

    {
    "id": null,
      "issuer": "did:ethr:0xf3beac30c498d9e26865f34fcaa57dbb935b0d74",
      "issued": "2018-07-17T23:39:28.937Z",
      "identifier": "credential-cvc:GenericDocumentId-v1",
      "expiry": null,
      "version": 1,
      "type": [
        "Credential",
        "credential-cvc:GenericDocumentId-v1"
      ],
      "claims": {
        "type": {
          "address": {
            "city": "7q32QO6QyC",
            "country": "DMWNjI2H6z",
            "county": "ClqmGgB9Gz",
            "state": "54fwzeph9R",
            "street": "1nU8mrOXDn",
            "unit": "xSBuKa0wah",
            "zipCode": "XU5w1tilyt"
          },
          "documentType": "QTeD2VzUVc",
          "image": {
            "image": "END9Z7RDtC",
            "md5": "zh9Lwz1Dsx"
          }
        },
        "identity": {
          "dateOfBirth": {
            "day": 29,
            "month": 2,
            "year": 1960
          },
          "name": {
            "first": "pgbXa8A3QI",
            "last": "aWJVXwRA27",
            "middle": "VKBbKo0KE3",
            "nickname": "HpoKF41SeI"
          },
         }
      }
    }

    It has to return, since one of the UCA types of Generic Id is Identity:name

    We can also run an DSR of claim, against the previous example:

    {
      "version": "1",
      "timestamp": "2018-07-04T00:11:55.698Z",
      "requesterInfo": {
        "requesterId": "3735a5b4-8a1f-11e8-9a94-a6cf71072f73",
        "app": {
          "id": "3cc295aa-8a1f-11e8-9a94-a6cf71072f73",
          "name": "App Name",
          "logo": "https://server/path/logo.png",
          "description": "App Description",
          "primaryColor": "2345EE",
          "secondaryColor": "2345FF"
        }
      },
      "channels": {
        "eventsURL": "https://server/events/UUID",
        "payloadURL": "https://server/payload/UUID"
      },
      "credentialItems": [
        "claim-cvc:Identity:name-1"
      ],
      "authorization": {
        "jwt": "<EXPIRABLE-TOKEN-SIGNING-EXACT_REQUEST>"
      }
    }
    

    It has to return the VC, since we want any VC that has a claim of Identity:name

    ES5 and ES6 definitions

    The project structure is made like this:

    |_ test |__ unit |__ integration |_ src |_ dist |__ cjs |__ es |__ browser |_ reports |__ coverage

    • Tests and Integration folder contains jest tests
    • src contains all ES6 non-transpiled source
    • dist contains all transpiled code in CJS, ES, BROWSER presets of Babel
    • also the package.json has the three fields main, module, browser, that allow packers to change the file of the entry point
    • reports and coverage are all related to JEST tests

    The released browser version is minified.

    The main entry point targets CJS, all legacy code should work with this.

    Sip-hosted-api is tested with this and it works right out of the box, without any other configuration.

    Browser projects should bundle the dependencies, so we are not bundling it here.

    The browser transpiled version only guarantees the profile we want to target and not leave this task to the user, since any other different transpilation, could result in bugs.

    But as pointed out before, if the target project is ES6 compliant, the pkg.module will point out to the ES version.

    Node vs React usage of this library

    Put this in your webpack config under plugins if you are running an Webpack Node App

    new webpack.DefinePlugin({
        'process.env': {
            NODE_ENV: 'production',
            APP_ENV: false
        }
    })

    If you are on a React app add this:

    new webpack.DefinePlugin({
        'process.env': {
            NODE_ENV: false,
            APP_ENV: 'browser'
        }
    })

    With that you can check if you're running in a browser or not this way:

    if (process.env.APP_ENV === 'browser') {
        const doSomething = require('./browser-only-js');
        doSomething();
    } else {
        const somethingServer = require('./server-only-js');
        somethingServer();
    }
    
    if (process.env.APP_ENV !== 'browser') {
        const somethingServer = require('./server-only-js');
        somethingServer();
    }

    Because these environment variables get replaced during the build, Webpack will not include resources that are server-only. You should always do these kinds of things in an easy way, with a simple, direct compare. Uglify will remove all dead code.

    Since you used a function before and the function is not evaluated during build, Webpack wasn't able to know what requires it could skip.

    (The NODE_ENV-variable should always be set to production in production mode, since many libraries including React use it for optimisations.)

    This is used on this library on src/services/config.js

    Releases

    The release process is fully automated and started by Civic members when it's created a tag on Github following the pattern ^release\..*$. E.g.: release.1.

    After the creation of the tag, Circle Ci will trigger a job to:

    • build source files
    • run unit tests
    • increase version number on package.json
    • create the stable version and tag it. E.g: v0.2.29
    • remove the release.N tag
    • deploy the binary file to NPM

    Install

    npm i @identity.com/dsr

    DownloadsWeekly Downloads

    102

    Version

    3.0.0

    License

    MIT

    Unpacked Size

    3.38 MB

    Total Files

    89

    Last publish

    Collaborators

    • diosakhilleus
    • chriteixeira
    • rado0x54
    • araptarchis
    • mitchcivic
    • identity.com-ci
    • dankelleher
    • flippiescholtz
    • kevinhcolgan
    • pbshoemaker
    • tyronemichael
    • lucmir
    • william-identity