JUPP Strategy for Passport

Development URL Parameters

These are the URL parameters going outbound to the authentication widget/interstitial page.

v=0

Version 0.

callbackURL=https://*

The URL to which a user will be returned after an authorisation attempt. Passport will verify the user at this point.

Authenticator tools will extract the domain from callback URL.

require=*

The required data fields seperated by the '+' character.

reason=*

The authentication reasons seperated by the '+' character. If a reason is not specified the authorisation must fail.

channelKey=*

The end-service ephemeral public key of this authorisation. This value key should be unique per authorisation request and as such can be utilised as a session identity in URL only authentication.

Note: the default algorithm used for an end-to-end channel is secp256k1.

Notes on URL Parameters:

(urgent, but future, work)

There is no signature mechanism to verify the integrity of a URL but a number of options exist.

Encoding requests as JWT outbound to authenticators would bring easy library support.

Any strategy would require that requests are signed with a administrator verifiable signature e.g. through a DNS TXT record self published public key.