@datasign/siop
Yet another SIOP library! It focuses to provide clean and universal APIs to implement the SIOP authentication flow in DID wallets. It runs on browser environments as well as on mobile devices.
Targeting Specifications
- https://identity.foundation/did-siop/ (deprecated)
- https://openid.net/specs/openid-connect-self-issued-v2-1_0.html (still in draft)
Install
yarn add @datasign/siop
It works both for React Native and the browser environments. No React Native polyfills are needed.
Usage
import Provider from '@datasign/siop';
import {SIOPError, SIOPRequestValidationError, SIOPResponseGenerationError} from '@datasign/siop';
import {getResolver as getWebResolver} from 'web-did-resolver';
...
// Assume we've received this url from RP.
const siopRequest = 'https://example.com/deeplink?response_type=id_token&scope=openid%20did_authn&client_id=<...>&request_uri=<...>';
try {
const idTokenExpiresIn = 3600;
const resolver = new Resolver({...getWebResolver()});
// Instantiate Self-Issued OpenID Provider.
const provider = new Provider(idTokenExpiresIn, resolver);
// Parse and validate the SIOP request coming from RP.
// You can also pass a parameter parsed by react-navigation.
const {clientId, iss, kid} = await provider.receiveRequest(siopRequest);
// Generate a SIOP response.
// You can choose your personas based on the information returned above.
let location = await provider.generateResponse(
'did:example:persona1',
keyPair, // keyPair generated by the elliptic library
// You can include additional fields into id token in the return value.
{vp_uri: 'https://credentials.example.xyz/12345'}
);
// You can use `location` directly as a redirect url to RP.
await Linking.openURL(location);
} catch (error) {
if (error instanceof SIOPError) {
if (error instanceof SIOPRequestValidationError) {
// `error` was throwed at `receiveRequest()` in this case.
console.error(error.error)
console.error(error.invalidField)
console.error(error.invalidValue)
}
else if (error instanceof SIOPResponseGenerationError) {
// `error` was throwed at `generateResponse()`.
console.error(error)
}
// Generate a redirect url to use as the error response to the RP.
location = error.toResponse();
await Linking.openURL(location);
}
}Limitation / Future Tasks
- We do not support JWE both for ID tokens and SIOP requests.
- Currently we only support
secp256k1ECC keys. RP can use other types of keys. - Some parameter validations are omitted. These are:
- Asserting
jwksinregistrationparameter containsissin request objects. - Additional did authn verification when
kids in request object and jwt header are different.
- Asserting
- Protocol negotiation based on the
registrationparameter is skipped.