JUPP Strategy for Passport
Development URL Parameters
These are the URL parameters going outbound to the authentication widget/interstitial page.
v=0
Version 0.
callbackURL=https://*
The URL to which a user will be returned after an authorisation attempt. Passport will verify the user at this point.
Authenticator tools will extract the domain from callback URL.
require=*
The required data fields seperated by the '+' character.
reason=*
The authentication reasons seperated by the '+' character. If a reason is not specified the authorisation must fail.
channelKey=*
The end-service ephemeral public key of this authorisation. This value key should be unique per authorisation request and as such can be utilised as a session identity in URL only authentication.
Note: the default algorithm used for an end-to-end channel is secp256k1.
Notes on URL Parameters:
(urgent, but future, work)
There is no signature mechanism to verify the integrity of a URL but a number of options exist.
Encoding requests as JWT outbound to authenticators would bring easy library support.
Any strategy would require that requests are signed with a administrator verifiable signature e.g. through a DNS TXT record self published public key.