aboutsummaryrefslogtreecommitdiff
path: root/doc/handbook/chapters/user.texi
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2020-12-28 11:19:38 +0100
committerChristian Grothoff <christian@grothoff.org>2020-12-28 11:19:38 +0100
commitad2fda925733eb2db4388ea1c8ea09b15ee59a9b (patch)
tree2a0bd587d459bb45010ae9318f043b00fbc3d847 /doc/handbook/chapters/user.texi
parente9d73b0a901d7dfe1fd219aecc960747e7c49483 (diff)
parent3ea7b6e726d80050bc3541e56fc6f9d1a5dbb72a (diff)
downloadgnunet-ad2fda925733eb2db4388ea1c8ea09b15ee59a9b.tar.gz
gnunet-ad2fda925733eb2db4388ea1c8ea09b15ee59a9b.zip
Merge branch 'master' of git+ssh://gnunet.org/gnunet
Diffstat (limited to 'doc/handbook/chapters/user.texi')
-rw-r--r--doc/handbook/chapters/user.texi66
1 files changed, 65 insertions, 1 deletions
diff --git a/doc/handbook/chapters/user.texi b/doc/handbook/chapters/user.texi
index 4ae9aa951..ebc1a7979 100644
--- a/doc/handbook/chapters/user.texi
+++ b/doc/handbook/chapters/user.texi
@@ -2000,9 +2000,11 @@ integrate reclaimID as an Identity Provider with little effort.
2000 2000
2001@menu 2001@menu
2002* Managing Attributes:: 2002* Managing Attributes::
2003* Managing Credentials::
2003* Sharing Attributes with Third Parties:: 2004* Sharing Attributes with Third Parties::
2004* Revoking Authorizations of Third Parties:: 2005* Revoking Authorizations of Third Parties::
2005* OpenID Connect:: 2006* OpenID Connect::
2007* Providing Third Party Attestation::
2006@end menu 2008@end menu
2007 2009
2008@node Managing Attributes 2010@node Managing Attributes
@@ -2032,13 +2034,51 @@ $ gnunet-reclaim -e "user" -D
2032Currently, and by default, attribute values are interpreted as plain text. 2034Currently, and by default, attribute values are interpreted as plain text.
2033In the future there might be more value types such as X.509 certificate credentials. 2035In the future there might be more value types such as X.509 certificate credentials.
2034 2036
2037@node Managing Credentials
2038@subsection Managing Credentials
2039
2040Attribute values may reference a claim in a third party attested credential.
2041Such a credential can have a variety of formats such as JSON-Web-Tokens or
2042X.509 certificates.
2043Currently, reclaimID only supports JSON-Web-Token credentials.
2044
2045To add a credential to your user profile, invoke the @command{gnunet-reclaim} command line tool as follows:
2046
2047@example
2048$ gnunet-reclaim -e "user"\
2049 --credential-name="email"\
2050 --credential-type="JWT"\
2051 --value="ey..."
2052@end example
2053
2054All of your credentials can be listed using the @command{gnunet-reclaim}
2055command line tool as well:
2056
2057@example
2058$ gnunet-reclaim -e "user" --credentials
2059@end example
2060
2061In order to add an attribe backed by a credential, specify the attribute
2062value as the claim name in the credential to reference along with the credential
2063ID:
2064
2065@example
2066$ gnunet-reclaim -e "user"\
2067 --add="email"\
2068 --value="verified_email"\
2069 --credential-id="<CREDENTIAL_ID>"
2070@end example
2071
2072
2035@node Sharing Attributes with Third Parties 2073@node Sharing Attributes with Third Parties
2036@subsection Sharing Attributes with Third Parties 2074@subsection Sharing Attributes with Third Parties
2037 2075
2038If you want to allow a third party such as a website or friend to access to your attributes (or a subset thereof) execute: 2076If you want to allow a third party such as a website or friend to access to your attributes (or a subset thereof) execute:
2039 2077
2040@example 2078@example
2041$ TICKET=$(gnunet-reclaim -e "user" -r "$RP_KEY" -i "attribute1,attribute2,...") 2079$ TICKET=$(gnunet-reclaim -e "user"\
2080 -r "$RP_KEY"\
2081 -i "attribute1,attribute2,...")
2042@end example 2082@end example
2043 2083
2044The command will return a "ticket" string. 2084The command will return a "ticket" string.
@@ -2173,6 +2213,30 @@ The authorization code flow optionally supports @uref{https://tools.ietf.org/htm
2173If PKCE is used, the client does not need to authenticate against the token 2213If PKCE is used, the client does not need to authenticate against the token
2174endpoint. 2214endpoint.
2175 2215
2216@node Providing Third Party Attestation
2217@subsection Providing Third Party Attestation
2218
2219If you are running an identity provider (IdP) service you may be able to
2220support providing credentials for re:claimID users.
2221IdPs can issue JWT credentials as long as they support OpenID Connect and
2222@uref{https://openid.net/specs/openid-connect-discovery-1_0.html,OpenID Connect Discovery}.
2223
2224In order to allow users to import attributes through the re:claimID user interface,
2225you need to register the following public OAuth2/OIDC client:
2226
2227@itemize @bullet
2228@item client_id: reclaimid
2229@item client_secret: none
2230@item redirect_uri: https://ui.reclaim (The URI of the re:claimID webextension)
2231@item grant_type: authorization_code with PKCE (@uref{https://tools.ietf.org/html/rfc7636, RFC7636})
2232@item scopes: all you want to offer.
2233@item id_token: JWT
2234@end itemize
2235
2236When your users add an attribute with name "email" which supports webfinger
2237discovery they will be prompted with the option to retrieve the OpenID Connect
2238ID Token through the user interface.
2239
2176@node Using the Virtual Public Network 2240@node Using the Virtual Public Network
2177@section Using the Virtual Public Network 2241@section Using the Virtual Public Network
2178 2242