Library for verification of authorization response messages of communication protocol in JWZ format
go get github.com/iden3/go-iden3-auth/v2
The goal of iden3auth libraries is to handle authentication messages of communication protocol.
Currently, library implementation includes support of next message types
https://iden3-communication.io/authorization/1.0/request
https://iden3-communication.io/authorization/1.0/response
Auth verification procedure:
- JWZ token verification
- Zero-knowledge proof verification of request proofs
- Query request verification for atomic circuits
- Verification of identity and issuer states for atomic circuits
Groth16 proof are supported by auth library
Verification keys must be provided using KeyLoader
interface
Proof for each atomic circuit contains public signals that allow extracting user and issuer identifiers, states, signature, challenges, etc.
Circuit public signals marshallers are defined in the go-circuits library.
The blockchain verification algorithm is used
-
Gets state from the blockchain (address of id state contract and URL must be provided by the caller of the library):
- Empty state is returned - it means that identity state hasn’t been updated or updated state hasn’t been published. We need to compare id and state. If they are different it’s not a genesis state of identity then it’s not valid.
- The non-empty state is returned and equals to the state in provided proof which means that the user state is fresh enough and we work with the latest user state.
- The non-empty state is returned and it’s not equal to the state that the user has provided. Gets the transition time of the state. The verification party can make a decision if it can accept this state based on that time frame.
-
Only latest states for user are valid. Any existing issuer state for claim issuance is valid.
The blockchain verification algorithm is used
- Get GIST from the blockchain (address of id state contract and URL must be provided by the caller of the library):
- A non-empty GIST is returned, equal to the GIST is provided by the user, it means the user is using the latest state.
- The non-empty GIST is returned and it’s not equal to the GIST is provided by a user. Gets the transition time of the GIST. The verification party can make a decision if it can accept this state based on that time frame.
-
go get https://github.com/iden3/go-iden3-auth/v2
-
Request generation:
basic auth:
var request protocol.AuthorizationRequestMessage // if you need'message' to sign (e.g. vote) request = auth.CreateAuthorizationRequestWithMessage("test flow", "message to sign","verifier id", "callback url") // or if you don't need 'message' to sign request = auth.CreateAuthorizationRequest("test flow","verifier id", "callback url")
if you want request specific proof (example):
var mtpProofRequest protocol.ZeroKnowledgeProofRequest mtpProofRequest.ID = 1 mtpProofRequest.CircuitID = string(circuits.AtomicQueryMTPV2CircuitID) mtpProofRequest.Query = map[string]interface{}{ "allowedIssuers": []string{"*"}, "credentialSubject": map[string]interface{}{ "countryCode": map[string]interface{}{ "$nin": []int{840, 120, 340, 509}, }, }, "context": "https://raw.githubusercontent.com/iden3/claim-schema-vocab/main/schemas/json-ld/kyc-v2.json-ld", "type": "KYCCountryOfResidenceCredential", } request.Body.Scope = append(request.Body.Scope, mtpProofRequest)
-
Token verification
Init Verifier:
var verificationKeyloader = &loaders.FSKeyLoader{Dir: keyDIR} resolver := state.ETHResolver{ RPCUrl: <polygon_node_http>, ContractAddress: <state_contract_address>, } resolvers := map[string]pubsignals.StateResolver{ "polygon:mumbai": resolver, } verifier,err := auth.NewVerifierWithExplicitError(verificationKeyloader, loaders.DefaultSchemaLoader{IpfsURL: "<IPFS NODE HERE>"}, resolvers) // or use NewVerifier and check that verifier instance is not nil. IPFS merklization is not worked without setuping global loader // verifier := auth.NewVerifier(verificationKeyloader, loaders.DefaultSchemaLoader{IpfsURL: "ipfs.io"}, resolvers)
-
FullVerify:
authResponse, err := verifier.FullVerify( r.Context(), string(tokenBytes), authRequest.(protocolAuthorizationRequestMessage), ...VerifyOpt, ) userId = authResponse.from // msg sender
Verify manually if thread id is used a session id to match request with
VerifyJWZ / VerifyAuthResponse
functions
See readme in iden3/go-rapidsnark/prover
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as below, without any additional terms or conditions.
© 2023 0kims Association
This project is licensed under either of
at your option.