diff options
author | Martin Schanzenbach <schanzen@gnunet.org> | 2020-12-28 10:34:48 +0900 |
---|---|---|
committer | Martin Schanzenbach <schanzen@gnunet.org> | 2020-12-28 10:34:48 +0900 |
commit | 3ea7b6e726d80050bc3541e56fc6f9d1a5dbb72a (patch) | |
tree | 2f66bbc4431ac1908107b8f18766bb5ff25a4529 /doc/handbook | |
parent | 7b32281b71e450827ff90f00451f5e5e98c0521e (diff) | |
download | gnunet-3ea7b6e726d80050bc3541e56fc6f9d1a5dbb72a.tar.gz gnunet-3ea7b6e726d80050bc3541e56fc6f9d1a5dbb72a.zip |
update handbook some
Diffstat (limited to 'doc/handbook')
-rw-r--r-- | doc/handbook/chapters/user.texi | 66 |
1 files changed, 65 insertions, 1 deletions
diff --git a/doc/handbook/chapters/user.texi b/doc/handbook/chapters/user.texi index 4ae9aa951..ebc1a7979 100644 --- a/doc/handbook/chapters/user.texi +++ b/doc/handbook/chapters/user.texi | |||
@@ -2000,9 +2000,11 @@ integrate reclaimID as an Identity Provider with little effort. | |||
2000 | 2000 | ||
2001 | @menu | 2001 | @menu |
2002 | * Managing Attributes:: | 2002 | * Managing Attributes:: |
2003 | * Managing Credentials:: | ||
2003 | * Sharing Attributes with Third Parties:: | 2004 | * Sharing Attributes with Third Parties:: |
2004 | * Revoking Authorizations of Third Parties:: | 2005 | * Revoking Authorizations of Third Parties:: |
2005 | * OpenID Connect:: | 2006 | * OpenID Connect:: |
2007 | * Providing Third Party Attestation:: | ||
2006 | @end menu | 2008 | @end menu |
2007 | 2009 | ||
2008 | @node Managing Attributes | 2010 | @node Managing Attributes |
@@ -2032,13 +2034,51 @@ $ gnunet-reclaim -e "user" -D | |||
2032 | Currently, and by default, attribute values are interpreted as plain text. | 2034 | Currently, and by default, attribute values are interpreted as plain text. |
2033 | In the future there might be more value types such as X.509 certificate credentials. | 2035 | In the future there might be more value types such as X.509 certificate credentials. |
2034 | 2036 | ||
2037 | @node Managing Credentials | ||
2038 | @subsection Managing Credentials | ||
2039 | |||
2040 | Attribute values may reference a claim in a third party attested credential. | ||
2041 | Such a credential can have a variety of formats such as JSON-Web-Tokens or | ||
2042 | X.509 certificates. | ||
2043 | Currently, reclaimID only supports JSON-Web-Token credentials. | ||
2044 | |||
2045 | To add a credential to your user profile, invoke the @command{gnunet-reclaim} command line tool as follows: | ||
2046 | |||
2047 | @example | ||
2048 | $ gnunet-reclaim -e "user"\ | ||
2049 | --credential-name="email"\ | ||
2050 | --credential-type="JWT"\ | ||
2051 | --value="ey..." | ||
2052 | @end example | ||
2053 | |||
2054 | All of your credentials can be listed using the @command{gnunet-reclaim} | ||
2055 | command line tool as well: | ||
2056 | |||
2057 | @example | ||
2058 | $ gnunet-reclaim -e "user" --credentials | ||
2059 | @end example | ||
2060 | |||
2061 | In order to add an attribe backed by a credential, specify the attribute | ||
2062 | value as the claim name in the credential to reference along with the credential | ||
2063 | ID: | ||
2064 | |||
2065 | @example | ||
2066 | $ gnunet-reclaim -e "user"\ | ||
2067 | --add="email"\ | ||
2068 | --value="verified_email"\ | ||
2069 | --credential-id="<CREDENTIAL_ID>" | ||
2070 | @end example | ||
2071 | |||
2072 | |||
2035 | @node Sharing Attributes with Third Parties | 2073 | @node Sharing Attributes with Third Parties |
2036 | @subsection Sharing Attributes with Third Parties | 2074 | @subsection Sharing Attributes with Third Parties |
2037 | 2075 | ||
2038 | If you want to allow a third party such as a website or friend to access to your attributes (or a subset thereof) execute: | 2076 | If you want to allow a third party such as a website or friend to access to your attributes (or a subset thereof) execute: |
2039 | 2077 | ||
2040 | @example | 2078 | @example |
2041 | $ TICKET=$(gnunet-reclaim -e "user" -r "$RP_KEY" -i "attribute1,attribute2,...") | 2079 | $ TICKET=$(gnunet-reclaim -e "user"\ |
2080 | -r "$RP_KEY"\ | ||
2081 | -i "attribute1,attribute2,...") | ||
2042 | @end example | 2082 | @end example |
2043 | 2083 | ||
2044 | The command will return a "ticket" string. | 2084 | The command will return a "ticket" string. |
@@ -2173,6 +2213,30 @@ The authorization code flow optionally supports @uref{https://tools.ietf.org/htm | |||
2173 | If PKCE is used, the client does not need to authenticate against the token | 2213 | If PKCE is used, the client does not need to authenticate against the token |
2174 | endpoint. | 2214 | endpoint. |
2175 | 2215 | ||
2216 | @node Providing Third Party Attestation | ||
2217 | @subsection Providing Third Party Attestation | ||
2218 | |||
2219 | If you are running an identity provider (IdP) service you may be able to | ||
2220 | support providing credentials for re:claimID users. | ||
2221 | IdPs can issue JWT credentials as long as they support OpenID Connect and | ||
2222 | @uref{https://openid.net/specs/openid-connect-discovery-1_0.html,OpenID Connect Discovery}. | ||
2223 | |||
2224 | In order to allow users to import attributes through the re:claimID user interface, | ||
2225 | you need to register the following public OAuth2/OIDC client: | ||
2226 | |||
2227 | @itemize @bullet | ||
2228 | @item client_id: reclaimid | ||
2229 | @item client_secret: none | ||
2230 | @item redirect_uri: https://ui.reclaim (The URI of the re:claimID webextension) | ||
2231 | @item grant_type: authorization_code with PKCE (@uref{https://tools.ietf.org/html/rfc7636, RFC7636}) | ||
2232 | @item scopes: all you want to offer. | ||
2233 | @item id_token: JWT | ||
2234 | @end itemize | ||
2235 | |||
2236 | When your users add an attribute with name "email" which supports webfinger | ||
2237 | discovery they will be prompted with the option to retrieve the OpenID Connect | ||
2238 | ID Token through the user interface. | ||
2239 | |||
2176 | @node Using the Virtual Public Network | 2240 | @node Using the Virtual Public Network |
2177 | @section Using the Virtual Public Network | 2241 | @section Using the Virtual Public Network |
2178 | 2242 | ||