How to get DID of Subject who has been issues VC - azure-ad-verifiable-credentials

I understand that the Authenticator App / wallet creates DID for user.
How can Issuer App access this DID, when issuing VC to that user?
I also understood that MS Authenticator App is also the Identify Hub, and stores the issued credential. Is this understanding correct?
When we search in indexable attribute in Azure ("Find the credential to revoke"), and get a Credential ID in response, of format: urn:pic:ef720xxxxxxxxxbxxxxed, is this the DID of the issued credential; guess not? Is there any reference of VC on ION / BTC chain? If yes, how the issuer / verifier app access DID of the Credential?
Thank you!

Related

Huawei Subscription Validation ResponseCode:6 ResponseMessage:Token is expired or invalid InappPurchaseData

I'm trying to verify subscription purchase in our backend servers, considering from this hms-iap-serverdemo GitHub repo.
I'm trying to connect OAuth 2.0-based authentication servers using app ID and app secret. I took ID and secret from AppGallery Connect → my app → app information. The auth servers returns base64 encoded token. When I try to verify with this subscription purchase, I am getting ResponseCode:6 ResponseMessage:Token is expired or invalid InappPurchaseData error from server.
The status of the application is currently draft. Is that why I'm getting this error? I believe client ID and client secret is correct. Or something else. I do not know. Do you have an idea?
Thank you
ResponseCode:6 ResponseMessage:Token is expired or invalid InappPurchaseData
The possible causes are as follows:
Check whether the token is invalid.The token validity period is 1 hour. If the token expires, obtain a new token to ensure that the token is valid.
Check whether the AT is invalid and whether only the AT in the cache is obtained. If the AT is invalid, clear the cache and obtain the AT again. Generally, use the token interface to obtain the application-level AT again.
For details about how to obtain the application level AT, see docs.
The token format is incorrect.
According to the docs:
App-level access token: Authorization: Basic Base64(APPAT:atvalue)
Example: The app-level access token is thisIsAppAtValue, then APPAT:atvalue is APPAT:thisIsAppAtValue.
Therefore, replace APPAT:atvalue in Base64(APPAT:atvalue) with "APPAT:thisIsAppAtValue" to generate value QVBQQVQ6dGhpc0lzQXBwQXRWYWx1ZQ==.
The value of Authorization in the request header is as follows: Basic QVBQQVQ6dGhpc0lzQXBwQXRWYWx1ZQ==
The site request is incorrect.
Switch to a proper site based on your location and try again.
China: https://subscr-drcn.iap.hicloud.com
Germany: https://subscr-dre.iap.hicloud.com
Singapore: https://subscr-dra.iap.hicloud.com
Russia: https://subscr-drru.iap.hicloud.com

Is it right to put the user's identifier in the payload of the access token(JWT)?

I am currently developing financial services as a personal project.
In order to strengthen security in the project, it is designed and implemented to process authentication at the gateway stage using AWS API Gateway.
I tried to log in using a mobile phone number and the received authentication number, and I don't think this is appropriate for Cognito and IAM identifiers, so I'm going to run the Node Auth Server that issues and verifies JWT tokens in AWS Lambda.
In the process, I tried to include an identifier such as user_id or uuid in the payload of the JWT token, but my colleague opposed it.
His opinion was that access token should only engage in authentication and that the token should not contain a user identifier.
I agreed with him to some extent, but if so, I wondered how to deliver the user identifier in an API such as "Comment Registration API".
Should we hand over the user identifier along with the access token to the client when login is successful?
in conclusion
Is it logically incorrect to include the user identifier in Access Token's Payload?
If the answer to the above question is yes, how should I deliver the user identifier when login is successful?
I wanted to hear the majority's opinion, so I posted it.
Thank you.
Typically you want enough information in the access token so that you can also do proper authorization about what the user/caller is allowed to do.
Typically, you separate authentication and authorization like the picture below shows:
So, to make an effective API, you do want to avoid having to lookup additional information to be able to determine if you are allowed to access some piece of data or not. So, I typically include the UserID and some other claims/roles in the token, so that I can smoothly let the user in inside the API.
However, adding personal information in the access token might have some GDPR issues, but sometimes it might be necessary to also add. But I don't see any issues adding information like UserId and roles in the token.
Yes it is logically correct and a normal thing to do. To see how to do it in a Node Auth Server, you can look at this: https://auth0.com/blog/complete-guide-to-nodejs-express-user-authentication/

Is it okay to use an OAuth2 authorization code as proof of a successful login?

I have a database with emails and passwords, and a Flutter app that lets those users log into the app by providing their email and password (the old fashioned way).
Now, some of those users are part of an organization that has a separate website where they use Microsoft/Office 365 accounts to sign in. Of course they want to be able to log into my app using their Office 365 accounts as well, instead of having to remember and type a different password in the app than they normally use on their organizations website.
So I've been looking at their website, which uses Microsoft Azure as a the backend. From their current login page I could find the tenantID, clientID, redirectURL and scope. From this I am able to get an authorization code back from the login.microsoftonline.com authorization endpoint. However, as my app is not registered in the organizations Azure account, I don't have a clientSecret so I can't call the token endpoint and get an idToken.
I'm using a WebView to display the login to their organizations website, so I can grab the authorization code from the redirect URL when they are redirected.
So my question is if I can use the authorization code directly to verify that the user has successfully signed in using their Office 365 account? All I need to know is that the user has an account at the organization, and that they could provide a valid email and password to login.
If they are redirected to the redirect URL with an autorization code, it means that they successfully logged in. Then I could consider them logged in to my app as well, based on the email provided to the Office 365 authorization endpoint. Because if they couldn't log in to their Office 365 they wouldn't get an authorization code, right?
No, the authorization code only has meaning to the identity provider, in this case Azure AD. It doesn't prove anything to your app.
What you could do is try response_type=code+id_token in the authorization URL.
If ID tokens have been configured as returnable from the authorization endpoint (this is done in the app registration configuration), you will get back a signed id token that you can verify.

AWS Cognito credentialsProvider.login always shows NIL (SWIFT)

I'm trying to implement Facebook Login with AWS Cognito.
After receiving the access token from Facebook, I'm not able to update the credentials provider.
let token = FBSDKAccessToken.currentAccessToken().tokenString
credentialsProvider.logins = [AWSCognitoLoginProviderKey.Facebook.rawValue: token]
After this, if I print [AWSCognitoLoginProviderKey.Facebook.rawValue: token] I get the long string but if I print credentialsProvider.logins I get NIL.
As a result, my identity pool always shows the user as unauthenticated even after logging in with Facebook.
Any help would be appreciated.
Thanks!!
Are you using the latest AWS iOS SDK? If yes, then credentialProvider.logins will always be NIL and will cause your app to create unauthenticated identities.
We are in process of updating our documentation for this but essentially this is what you need to do.
Use this constructor to create the credentials provider. The identityProviderManager here should be an implementation of AWSIdentityProviderManager Protocol and the logins method should return the dictionary mapping for your provider name to the token. The credentials provider will call this method every time it needs the identity provider token.

Fiware get access token seems to get wrong

We are having troubles with getting the access token from fiware since 4th August.
We are using this URL to ask for the token: https://orion.lab.fiware.org/token but it seems like it does not work.
Before using that URL we used to ask for this one:
http://cloud.lab.fi-ware.org:4730/v2.0/tokens
Could anyone, please, help us?
Thank you in advance.
It depends on how you want to get the token. The current OAuth2 URL to get the tokens is https://account.lab.fiware.org/oauth2/token. This is the central authority for authentication, if you are accessing any common GE, but you will need to register your application in FIWARE Account and use your application credentials and some OAuth2 grant to get it.
If you want to get the token for the global instance without using a registered application, the URL you have mentioned contains a token service that can give you a valid token for your user and that purpose. You can test it (and see an example) with the following script:
https://raw.githubusercontent.com/fgalan/oauth2-example-orion-client/master/token_script.sh