npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@decentralized-identity/did-auth-jose

v0.1.14

Published

Authentication library using JOSE and DIDs to form secure end to end messages

Downloads

407

Readme

Decentralized Identity Authentication via JOSE

did-auth-jose is a library that provides JOSE encryption, decryption, signing, and verifying capabilities through a key and algorithm extensible model, as well as two authentication flows for use with decentralized identities (DIDs).

Installation

$ npm install @decentralized-identity/did-auth-jose

OIDC Authentication Flow

OIDC Authentication is loosely based off of OpenID Connect Self-Issued ID Token Protocol. The AuthenticationRequest and AuthenticationResponse objects are modeled after OIDC request and response objects. We have proposed an authentication protocol in this OIDC Authentication document.

Authentication Flow

DID Authentication uses two to three JSON Web Tokens (JWT) per request. The first is an outer JSON Web Encryption (JWE), and the second is an inner JSON Web Signature (JWS), both utilizing the public private key pair of each DID retrieved from their DID Document. An optional third JWT access token may be included in a JWS header. This format ensures the content is encrypted end to end and independently verifiable. Each JWS contains a nonce header to associate requests with responses.

Authentication is encapsilated in an Authentication containing private keys for decryption, cryptographic algorithms, and a Universal Resolver. Due to the extensible model, implementations for algorithms and a universal resolver must be passed in. A standard set of algorithms will be used by default. Currently RSA, AES, and Secp256k1 is supported.

DID Documents are retrieved by the Universal Resolver. All documents are expected to conform to the DID spec. An simple http-resolver is included in the hub-node-core package, utilizing a remote Universal Resolver listening over http.

The flow can be invoked by three methods, starting with the sender:

async getAuthenticatedRequest (
  content: string,
  privateKey: PrivateKey,
  recipient: string,
  accessToken?: string
): Promise<Buffer>

which takes the message content, the private key used for signing, the did this message is intended for, and optionally an access token JWT to include in the JWS header.

Upon receipt of the encrypted request, the receiver uses:

async getVerifiedRequest (
  request: Buffer,
  accessTokenCheck: boolean = true
): Promise<VerifiedRequest | Buffer>

which decrypts the request using Authentication's private keys, retrieves the sender's DID Document and signing key, and verifys the signature of the JWS. If accessTokenCheck is true, it will require the JWS contain an access token in the JWS header and verify the token. If no token was included, the returned Promise will resolve to a Buffer containing a message back to the sender with an appropriate access token. This behavior may change in the future upon defining a specific endpoint for recieving acces tokens. If successful, a VerifiedRequest option is returned, containing the plaintext request in the VerifiedRequest.request property, along with additional metadata.

The reciever may then respond to the message using the same keys with the getAuthenticatedResponse method:

async getAuthenticatedResponse (
  request: VerifiedRequest,
  response: string
): Promise<Buffer>

This method takes the original request for public key metadata, and the plaintext response, and returns a Buffer using the same keys if possible.

The sender may decrypt the response using the same getVerifiedRequest method with the accessTokenCheck set to false.

The authentication flow is explained in greater detail in the Authentication document.

Extensible JOSE

This package includes JWS and JWE classes (JwsToken and JweToken respectively) which utilize an extensible cryptographic model, CryptoFactory. This factory is constructed from CryptoSuite which implement specific public private key pair generation, encryption, decryption, signing, and verifying algorithms. To add support for an algorithm, simply include the CryptoSuite that implements that algorithm to the CryptoFactory constructor.

JOSE extensions are explained in greater detail in the CryptoSuite document.