uport-project / docs Goto Github PK

Developer website, medium blogs, GitHub docs, forum participation, social media, slides in conferences
any other communication with the public.

I just recently noticed the upgrade made to the docs in the past few weeks. The diagrams in particular have been very helpful! Thanks for that.

With that said, it seems the general practice outlined in the documentation is to store and ship your application's signing key in the web page served to the user, effectively exposing it to anyone who can download the page. Unless I'm overestimating the importance of that key, this seems like a huge security risk to both the end user and the application owner.

For our application, we are planning to host the connection process on a dedicated server, that will simply generate QR codes and send them back to our frontend. But, one of my concerns is that new developers to this space won't see that as a possible solution, and simply follow the guidelines that have been set for them, opening up a seemingly large security vulnerability.

Are there any plans to address this issue in the documentation, or am I just overestimating the impact of exposing an application's signing key?

I can't easily highlight code blocks in order to copy/paste from docs, due to styling.

Reproduced in chrome and firefox here https://developer.uport.me/gettingstarted

Hello,

Myself, @satazor, @pgte and @diasdavid have been working on an identity management application, called Peer-Star-Identity, in the context of Peer-Star (a community developing applications around IPFS).

In recent times, a lot of DID specs have appeared, uPort being one of them. We are focusing on developing an ecosystem which allows any application (centralized or p2p) to seamlessly work with any DID method. It would also allow users to store their identities across multiple devices.

Our problem statement is defined at #16 and an RFC for the identity manager is being discussed at #15.

We would appreciate your feedback, particularly on the issues raised by the problem statement, as you have probably already thought about some of them.

Thank you!

To allow for our site generator to provide links to the markdown source, it will be necessary to frontload this information by adding it to the frontmatter of each markdown document.

---
title: 
index:
type:
category:
url: <http://......>  
---

For the name of the frontmatter attribute, perhaps url is not descriptive enough, something simple like github instead may be a better option. Work with @gbugyis to determine the most appropriate per the graphQL queries he will be writing to utilize this new frontmatter.

Using the verifyJWT function to verify a JWT.

https://developer.uport.me/did-jwt/guides/index/#parameters-1

I noticed in the audience parameter the options parameter is set to required FALSE, but I receive the error JWT audience is required but your app address has not been configured. when I do not set the audience parameter

Therefore I set audience parameter, to my DApps MNID, and everything works as expected.

verifyJWT(request.body.JWT, {
      audience: uportAppAddress // MNID of registered Decentralized Application.
    }).then(verifiedJWT => {
      console.log(verifiedJWT)
      ... // De more Things
    })

Task:

Create a tutorial and reference application that showcases an employee training and employer verification scenario

Flow:

Wireframes:

Employee receives credential

1. A Training App presents QR code for login.
2. Employee scans QR with uPort mobile app to provide auth credentials.
3. Credentials are transmitted to the App.
4. If login is successful, the App “decides” that the Employee has completed their training.
5. A QR is presented to the Employee to scan to receive their credentials/certificate of completion.
6. Employee Scans the QR.
7. The mobile app presents a dialogue asking the Employee if they would accept the credential/certificate of completion.
8. Assume the user accepts.

Training site login

User is issued a certificate of completion

Employer verifies credential

1. An Employer HR portal presents a QR code to login.
2. Employee scans QR with uPort mobile app to provide auth credentials.
3. Authentication credentials are transmitted to HR portal.
4. HR portal “recognizes” the empoylee has outstanding training and displays a QR to scan that will request the claim information related to the training in question.
5. Employee scans the QR.
6. Employee approves the request.
7. Claim data is transmitted to the HR Portal callback URL.
8. Assume HR portal has logic that records the completion.

• If they don’t have the claim yet, see Rev B
• If they do have the claim, see Rev A

Later the user/employee visit's their HR portal

HR portal checks for training completion

Rev A

Rev B

Please base your branch and PR from this feature/did-major-release

• update request credentials for the proper amount of detail, omitting unecessary inclusion of chasqui, etc.
• remove or replace outdated or inaccurate content.
• ‘calling the request method’ should be a link to a guide about transports. (transports link TBD)
• the verify credentials section does not need to be added anymore
• attesting credentials graph is too much detail