path: root/doc/handbook/chapters/user.texi
diff options
Diffstat (limited to 'doc/handbook/chapters/user.texi')
1 files changed, 65 insertions, 1 deletions
diff --git a/doc/handbook/chapters/user.texi b/doc/handbook/chapters/user.texi
index 4ae9aa951..ebc1a7979 100644
--- a/doc/handbook/chapters/user.texi
+++ b/doc/handbook/chapters/user.texi
@@ -2000,9 +2000,11 @@ integrate reclaimID as an Identity Provider with little effort.
* Managing Attributes::
+* Managing Credentials::
* Sharing Attributes with Third Parties::
* Revoking Authorizations of Third Parties::
* OpenID Connect::
+* Providing Third Party Attestation::
@end menu
@node Managing Attributes
@@ -2032,13 +2034,51 @@ $ gnunet-reclaim -e "user" -D
Currently, and by default, attribute values are interpreted as plain text.
In the future there might be more value types such as X.509 certificate credentials.
+@node Managing Credentials
+@subsection Managing Credentials
+Attribute values may reference a claim in a third party attested credential.
+Such a credential can have a variety of formats such as JSON-Web-Tokens or
+X.509 certificates.
+Currently, reclaimID only supports JSON-Web-Token credentials.
+To add a credential to your user profile, invoke the @command{gnunet-reclaim} command line tool as follows:
+$ gnunet-reclaim -e "user"\
+ --credential-name="email"\
+ --credential-type="JWT"\
+ --value="ey..."
+@end example
+All of your credentials can be listed using the @command{gnunet-reclaim}
+command line tool as well:
+$ gnunet-reclaim -e "user" --credentials
+@end example
+In order to add an attribe backed by a credential, specify the attribute
+value as the claim name in the credential to reference along with the credential
+$ gnunet-reclaim -e "user"\
+ --add="email"\
+ --value="verified_email"\
+ --credential-id="<CREDENTIAL_ID>"
+@end example
@node Sharing Attributes with Third Parties
@subsection Sharing Attributes with Third Parties
If you want to allow a third party such as a website or friend to access to your attributes (or a subset thereof) execute:
-$ TICKET=$(gnunet-reclaim -e "user" -r "$RP_KEY" -i "attribute1,attribute2,...")
+$ TICKET=$(gnunet-reclaim -e "user"\
+ -r "$RP_KEY"\
+ -i "attribute1,attribute2,...")
@end example
The command will return a "ticket" string.
@@ -2173,6 +2213,30 @@ The authorization code flow optionally supports @uref{
If PKCE is used, the client does not need to authenticate against the token
+@node Providing Third Party Attestation
+@subsection Providing Third Party Attestation
+If you are running an identity provider (IdP) service you may be able to
+support providing credentials for re:claimID users.
+IdPs can issue JWT credentials as long as they support OpenID Connect and
+@uref{,OpenID Connect Discovery}.
+In order to allow users to import attributes through the re:claimID user interface,
+you need to register the following public OAuth2/OIDC client:
+@itemize @bullet
+@item client_id: reclaimid
+@item client_secret: none
+@item redirect_uri: https://ui.reclaim (The URI of the re:claimID webextension)
+@item grant_type: authorization_code with PKCE (@uref{, RFC7636})
+@item scopes: all you want to offer.
+@item id_token: JWT
+@end itemize
+When your users add an attribute with name "email" which supports webfinger
+discovery they will be prompted with the option to retrieve the OpenID Connect
+ID Token through the user interface.
@node Using the Virtual Public Network
@section Using the Virtual Public Network