From c5e8dd1ca18ec90f2d7579ba6f928695772b550c Mon Sep 17 00:00:00 2001 From: fmarino-ipzs Date: Tue, 6 Aug 2024 00:31:49 +0200 Subject: [PATCH 01/21] feat: added deferred and notification --- docs/common/standards.rst | 2 + docs/en/pid-eaa-entity-configuration.rst | 2 + docs/en/pid-eaa-issuance.rst | 133 ++++++++++++++++-- examples/credential-response-deferred.json | 5 + examples/credential-response.json | 3 +- examples/ec-eaa.json | 1 + examples/notification-request.json | 4 + ...-Level-Flow-ITWallet-PID-QEAA-Issuance.svg | 3 +- 8 files changed, 142 insertions(+), 11 deletions(-) create mode 100644 examples/credential-response-deferred.json create mode 100644 examples/notification-request.json diff --git a/docs/common/standards.rst b/docs/common/standards.rst index f7b2b33a3..6fe61138e 100644 --- a/docs/common/standards.rst +++ b/docs/common/standards.rst @@ -73,3 +73,5 @@ Technical References - Fett, D., Yasuda, K., Campbell, B., "Selective Disclosure for JWTs (SD-JWT)". * - `OAUTH-ATTESTATION-CLIENT-AUTH`_ - Looker, T., Bastian, P., "OAuth 2.0 Attestation-Based Client Authentication". + * - USASCII + - American National Standards Institute, "Coded Character Set -- 7-bit American Standard Code for Information Interchange", 1986. diff --git a/docs/en/pid-eaa-entity-configuration.rst b/docs/en/pid-eaa-entity-configuration.rst index 14b705c19..3c03b8df4 100644 --- a/docs/en/pid-eaa-entity-configuration.rst +++ b/docs/en/pid-eaa-entity-configuration.rst @@ -87,6 +87,8 @@ The *openid_credential_issuer* metadata MUST contain the following claims. - URL of the revocation endpoint. See :rfc:`8414#section-2`. * - **status_attestation_endpoint** - It MUST be an HTTPs URL indicating the endpoint where the Wallet Instances can request Status Attestations. See Section :ref:`Credential Lifecycle` for more details. + * - **notification_endpoint** + - It MUST be an HTTPs URL indicating the notification endpoint. See Section 11.2.3 of [`OpenID4VCI`_]. * - **display** - See `OpenID4VCI` Draft 13 Section 11.2.3. Array of objects containing display language properties. The parameters that MUST be included are: diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index 81dda6eee..bb9ecad87 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -70,8 +70,8 @@ Below the description of the most relevant operations involved in the (Q)EAA iss 5. **(Q)EAA Issuance**: the User is authenticated with a valid PID and the (Q)EAA Provider releases a (Q)EAA bound to the key material held by the requesting Wallet Instance. -Detailed Flow -------------- +Low-Level Issuance Flow +----------------------- The PID/(Q)EAA Issuance flow is based on [`OpenID4VCI`_] and the following main reference standards/specifications MUST be supported on top of `OpenID4VCI`_: @@ -90,6 +90,7 @@ The PID/(Q)EAA Provider MUST use *OAuth 2.0 Authorization Server* based on :rfc: * **Wallet Initiated Flow**: The request from the Wallet Instance is sent to the PID/(Q)EAA Provider without any input from the latter. * **Same-device Issuance flow**: The User receives the Credential on the same device that initiated the flow. * **Immediate Issuance flow**: The PID/(Q)EAA Provider issues the Credential directly in response to the Credential Request. + * **Deferred Issuance flow**: The PID/(Q)EAA Provider requires time to issue the requested Digital Credential and needs the Wallet to come back to retrieve it. .. _fig_Low-Level-Flow-ITWallet-PID-QEAA-Issuance: @@ -97,7 +98,7 @@ The PID/(Q)EAA Provider MUST use *OAuth 2.0 Authorization Server* based on :rfc: .. figure:: ../../images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg :figwidth: 100% :align: center - :target: https://www.plantuml.com/plantuml/svg/bLJVRzis47xdNt587vO0DlPke4MTn6kC5OEHfSXB086HplOj4gcHnwZUm_xs7KLPfkQqQ8C0KSZxyNtVVSUFdhNZqDHA1xOcDC_eb6hbZ4fgjM6u-EBHNO3s49Hwjb_JmIyUV2DHxTuQl81tdsctv-iwu3JtsjbkJDVJkqTTryYmDWB1bDZ7T0fD1TBbVnWswrlOEFjArL2CbFnqCFy0OG7scJKPEDZWG29LWBbST0iue5VA6Si8zXKTTF3kyMxzi5931kyHQl8CTjj_FxZW6Il8s_a8gQyX3USVf5rfpPPSqsTuhB5aiYQMoDEK2W92CDYNAOGPYLhhJtSFd-vNgp_KpHxBbqaca0SXFuBw3ULGzpsqgOvaYJqqoBhIh7E449c3W7Ie6M7p-yrA05S8qfosXAulyhXUpZTsCyIJn6-Mzt2FVmVq39TF1i2XRwtnMF2XnLayAMj2mmLLwJyfMfJxE4IpmpUE2e6tjodOfSfv6UqzkiXgsY2_UIym_nsWFfaho7LyIyNag1yHSaZmj3EQWyCXv5XXoOoUJvf7iLzrJHNn0JAr5IMdZVeboU1ou5i4HpF0hoqvz0MPgsJQw5gzW6KGVHpza_gCufzaXgpCbGgwpwIVJbGJtMRXk0J1HpT8BScYCXNhYFU0wzlbdt0dAzspBoCdm-Uy1T4Pc562Q8OPH1Nb3ta_4kX-9Ybpz0vD71_2hTW1Nl3mpRlMMRlDVGvRwwOxnlO53GYZrf9GonRXGMv6KPCUMT7ByqNOEMquCx6jicquRjstdVy-EBCWvEr2lAeRlx1n98iKEnzZvp5syLV7y-FDoQDI_BkxCwnWHGxBtXDFqOcKn4kCyo7eiaJlYrwYML8gqSkSF8EoCDQKE7uKcStFtw6adlosrdkf7iT-EMJsuTFuNFApsKb85Ishwt60sVnkJhVdGyofzGR9HtkgMrIu9KEzjh5_etcMegxUUeEkFtzPgNlSaUUuKNKTtv8CvjnXBQGgK6HIDIdSyqhsIBltgyDNcpuXVsI6EUNCic4DwB9kFpmQ4VNqgaKnefs2XpA-ZLcSP-joEkgZW0jD_Hy0 + :target: https://www.plantuml.com/plantuml/svg/bPRVRo8t4CVV_LUCSWy5QL6ggaz8EHr9w0NrbD24KruY8MTtW6aMc_e777tetzwn3RicaBH1aRBOy-Fhpynu-MATDCulQo6zqyeldz48iU8rAcabbOEpxnRD6KWBNeXd_ICj_6J1BjbgjT0Ap-3JDvelt6NjyT3tqkXDuouFznvbNQE3aM89giHein6eAk0ihpICHzVddJ-wmy40naQlgTh59C6V3VG-W--3VdQI56orDt1DStAoXYk35If7iXOUUcotwSCMhH16QOUWrsXW0vyURqQJeRXB0Tm2eIRhGC_YyyHuwx224o9iq1j3iOpUPnPHQZKZiuoE5cii7Md5aKvv2-5P4YlIBuU22cAYewytaw_tm-6jk5fW-N8g0905vjGe_GrvKSQCKbLx8EGiBD79IZgPwuM00rYoGUaGnhzV3Lb-XS0QQ4PeOf37qQ0trkETFR7zU70Fz_YNH-kWywG03DgLLXQdRhl28goKDQ5oKwhIDmuwBHUXtcgE9vQcB6-Xax59aVCmqbequLI72VAT2vRvpqxga-f2ZlCKpDHy_mVapi7IN4dd3UvCzX46pg5rBVC0UorhgiXj8QCjABLVmoyXWyxkl5Dlg03yiIAcEINLJOqTEblsOU2PZw6_OvuMVeiPiZ1TuMNqf0yx2bcxR6RWuYAqtG7Cmk_7nTlG8fmW69SfmuRS0bHyPdSSNGyUW9r3ErNmK2vmYJPoAiFfbMi9OMtnLUhKxTsFfcV5RwHGrRuEJEW8JbEIq9m5XAhoFxAs0Rhva5CxONDKQ7W3hhazuGMtR-wjZDQpVEvWfit9qNVw1HNmaLQQ-93PV4vufwrrG9B7xXpFvzn8vRBPqbKsfFlBuEs1lF16zGdThCyZ99UshqDL-icsrzZsWct_puthxNVQqU7WxuxqxcQeo60PM_Kf30WbXkd4UIraMQArquYeIAIYqdp02YYdIgiIcuTfDdt7rsEYntyhRIr73zNlx3oZ-Q5zXlpD4fPjjxTrRCgOpS9nBVCJndR9Azp6dLOu8qKHSP2nbAv8LiUpJXRaMb8jdsi4qTBDR3B4-s1jhdU15hjR8CqfDrv6E6FJNfryfZXCta8PBk3Ct3fjC4kSCRlDaZJKRYQJCOpl7YPmhlBzpYj91U2Q8tR5gPV7vRVlGt6FSxAELsLTWrla8de6Q-cm0a4giU6WiV8SfSboRd2jT-dRjqF6EZz0IpkUu9UVV-LjkDBASKfnT66IXTkxILl3_oXWZRAQEbhY-uEGi_05YSa2uTKljmBaB49H89VQg_GMvSXWLrYcg_zv2qt2MDlD0XKuG_CvchGVU8QVbl4IDSx6XLcjDo3dajIhQvm_N_Z1B-j_0G00 PID/(Q)EAA Issuance - Detailed flow @@ -344,6 +345,74 @@ If the checks defined above are successful the Wallet Instance proceeds with the .. literalinclude:: ../../examples/credential-response.json :language: JSON +.. note:: + + If the issuance of the requested credential cannot be issued immediately and it requires more time to be issued, then the PID/(Q)EAA Provider MAY support the *Deferred Flow* (step 24) as specified in Section :ref:`Deferred Flow`. + +**Steps 22 (Notification Request)**: According to Section 10.1 of [`OpenID4VCI`_], the Wallet sends an HTTP POST request to the Notification Endpoint using the *application/json* media type as in the following non-normative example. + +.. code-block:: http + + POST /notification HTTP/1.1 + Host: eaa-provider.example.org + Content-Type: application/json + Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU + DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik + VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR + nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R + 1JEQSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiJlMWozVl9iS2ljOC1MQUVCIiwiaHRtIj + oiR0VUIiwiaHR1IjoiaHR0cHM6Ly9yZXNvdXJjZS5leGFtcGxlLm9yZy9wcm90ZWN0Z + WRyZXNvdXJjZSIsImlhdCI6MTU2MjI2MjYxOCwiYXRoIjoiZlVIeU8ycjJaM0RaNTNF + c05yV0JiMHhXWG9hTnk1OUlpS0NBcWtzbVFFbyJ9.2oW9RP35yRqzhrtNP86L-Ey71E + OptxRimPPToA1plemAgR6pxHF8y6-yqyVnmcw6Fy1dqd-jfxSYoMxhAJpLjA +.. literalinclude:: ../../examples/notification-request.json + :language: JSON + + +**Steps 23 (Notification Response)**: When the Credential Issuer has successfully received the Notification Request from the Wallet, it MUST respond with an HTTP status code *204* as recommended in Section 10.2 of [`OpenID4VCI`_]. Below is a non-normative example of response to a successful Notification Request: + +.. code-block:: http + + HTTP/1.1 204 No Content + + + +Deferred Flow +------------- + +The PID/(Q)EAA Providers MAY support a *Deferred Flow* which has the aim of handling the cases where an immediate issuance is not possible for some reasons due to errors during the communication between the PID/(Q)EAA Provider and the Authentic Source (for example the Authentic Source is temporarily unavailable, etc.) or due to administrative or technical processes that do not allow the Credential to be provided immediately. + + +General Requirements +^^^^^^^^^^^^^^^^^^^^ + + 1. The Deferred Credential request MAY also happen several days after the initial Credential request. + 2. The User MUST be informed that the Credential is available and ready to be issued. + 3. The Wallet Provider MUST NOT be informed about which Credential is available to be issued or which Credential Provider the User needs to contact. + 4. The Wallet Instance MUST be informed about the amount of time to wait before making a new Credential request. + 5. As, in general, an unavailability may be an unexpected event, the PID/(Q)EAA Provider MUST be able to switch on the fly between a *immediate* and an *deferred* flow. This decision MUST be taken after the authorization step. + +Technical Flow +^^^^^^^^^^^^^^ + +If PID/(Q)EAA Providers, supporting this flow, are not able to immediately issue a requested Credential, they MUST provide the Wallet Instance with an HTTP Credential Response cointaining the amount of time to wait before making a new Credential request. The HTTP status code MUST be *202* (see Section 15.3.3 of [:rfc:`9110`]). Below a non-normative example is given. + +.. code-block:: http + + HTTP/1.1 202 Accepted + Content-Type: application/json + Cache-Control: no-store + +.. literalinclude:: ../../examples/credential-response-deferred.json + :language: JSON + +The Wallet Instance MUST use the value given in the *lead_time* parameter to inform the User when the Credential becomes available (e.g. using a local notification triggered by the *lead_time* time value). PID/(Q)EAA Providers MAY send a notification to the User through a communication channel (e.g. email address), if available from the PID/(Q)EAA Provider. + +Upon receipt of the notification (by the Wallet Instance and/or by the PID/(Q)EAA Provider), the User opens the Wallet Instance and start the Issuance Flow again from the beginning as defined in the previous section. + +If the *lead_time* parameter is less than the expiration time of the Access Token, the Wallet Instance MAY use it along with the *c_nonce* provided in the Credential Response to perform a new Credential Request without requiring the User to submit a new authentication request. + +In the case where the Authentic Source and the PID/(Q)EAA Provider are both enabled to use *PDND*, what is described in Section ... MUST apply. Pushed Authorization Request Endpoint ------------------------------------- @@ -886,10 +955,12 @@ The JWT proof type MUST contain the following parameters for the JOSE header and Credential Response ^^^^^^^^^^^^^^^^^^^^ -Credential Response to the Wallet Instance MUST be sent using `application/json` media type. If the Credential Request is successfully validated, the PID/(Q)EAA Provider MUST return HTTP response with a *200 (OK)* status code and MUST contain the following mandatory claims: +Credential Response to the Wallet Instance MUST be sent using `application/json` media type. If the Credential Request is successfully validated, and the Credential is immediately available, the PID/(Q)EAA Provider MUST return HTTP response with a *200 (OK)* status code. If the Credential is not available and the deferred flow is supported by the PID/(Q)EAA Provider, an HTTP status code *202* MUST be returned. + +The Credential Reaponse contains the following parameters: .. _table_credential_response_claim: -.. list-table:: Credential http response parameters +.. list-table:: :widths: 20 60 20 :header-rows: 1 @@ -897,13 +968,19 @@ Credential Response to the Wallet Instance MUST be sent using `application/json` - **Description** - **Reference** * - **credential** - - String Containing the issued PID/(Q)EAA. If the requested format identifier is ``vc+sd-jwt`` then the ``credential`` parameter MUST NOT be re-encoded. If the requested format identifier is ``mso_mdoc`` then the ``credential`` parameter MUST be a base64url-encoded representation of the issued Credential. + - CONDITIONAL. REQUIRED if ``lead_time`` is not present. String Containing the issued PID/(Q)EAA. If the requested format identifier is ``vc+sd-jwt`` then the ``credential`` parameter MUST NOT be re-encoded. If the requested format identifier is ``mso_mdoc`` then the ``credential`` parameter MUST be a base64url-encoded representation of the issued Credential. - Section 7.3, Annex A2.5 and Annex A3.5 of [`OpenID4VCI`_]. + * - **lead_time** + - CONDITIONAL. REQUIRED if ``credential`` is not present. The amount of time (in seconds) required before making a new Credential Request. + - This Specification * - **c_nonce** - - JSON string containing a ``nonce`` value to be used to create a *proof of possession* of the key material when requesting a further Credential or for the renewal of a credential. + - REQUIRED. JSON string containing a ``nonce`` value to be used to create a *proof of possession* of the key material when requesting a further Credential or for the renewal of a credential. - Section 7.3 of [`OpenID4VCI`_]. * - **c_nonce_expires_in** - - JSON integer corresponding to the **c_nonce** lifetime in seconds. + - REQUIRED. JSON integer corresponding to the ``c_nonce`` lifetime in seconds. + - Section 7.3 of [`OpenID4VCI`_]. + * - **notification_id** + - OPTIONAL. String identifying an issued Credential that the Wallet includes in the Notification Request as defined in Section :ref:`Notification Request`. It MUST NOT be present if credential parameter is not present - Section 7.3 of [`OpenID4VCI`_]. @@ -921,7 +998,47 @@ If the Credential Request is invalid, the PID/(Q)EAA Provider MUST return an err .. literalinclude:: ../../examples/credential-error.json :language: JSON +Notification endpoint +--------------------- + +The Notification Endpoint is used by the Wallet to notify the PID/(Q)EAA Provider of certain events for issued Credentials, such as if the Credential was successfully stored in the Wallet Instance or in case of unsuccessful Credential issuance caused by a user action. +This endpoint MUST be a protected endpoint and a valid DPoP Access Token MUST be used. TLS is REQUIRED according to Section 10 of [`OpenID4VCI`_]. + + +Notification Request +^^^^^^^^^^^^^^^^^^^^ + +The Notification Request MUST be an HTTP POST using the *application/json* media type with the following parameters. + +.. list-table:: + :widths: 20 60 25 + :header-rows: 1 + + * - **Claim** + - **Description** + - **Reference** + * - **notification_id** + - REQUIRED. It MUST be equal to the ``notification_id`` value returned in the Credential Response by the PID/(Q)EAA Provider. + - Section 10.1 of [`OpenID4VCI`_]. + * - **event** + - REQUIRED. Type of the notification event. It MUST be a case sensitive string and it MUST support the following values: + + - *credential_accepted*: when the Credential was successfully stored in the Wallet Instance. + - *credential_deleted*: when the unsuccessful Credential issuance was caused by a user action. + - *credential_failure*: in all other unsuccessful cases. + + - Section 10.1 of [`OpenID4VCI`_]. + * - **event_description** + - OPTIONAL. Human-readable ASCII [USASCII] text providing additional information, used to inform about the event that occurred. Values for the event_description parameter MUST NOT include characters outside the set *%x20-21 / %x23-5B / %x5D-7E*. + - Section 10.1 of [`OpenID4VCI`_]. +Notification Response +^^^^^^^^^^^^^^^^^^^^^ + +The Notification Response MUST be use an HTTP status code *204 (No Content)*, as recommended in Section 10.2 of [`OpenID4VCI`_]. + +In case of errors, what is described in Section 10.3 of [`OpenID4VCI`_] MUST apply. + diff --git a/examples/credential-response-deferred.json b/examples/credential-response-deferred.json new file mode 100644 index 000000000..2c56716bd --- /dev/null +++ b/examples/credential-response-deferred.json @@ -0,0 +1,5 @@ +{ + "lead_time": 864000, + "c_nonce": "ff_EtUQs0ieiIS1NYNBHEQSoy3ct4gpy-89JKwHilrT", + "c_nonce_expires_in": 86400 +} \ No newline at end of file diff --git a/examples/credential-response.json b/examples/credential-response.json index 719b2e70c..b121e3bc7 100644 --- a/examples/credential-response.json +++ b/examples/credential-response.json @@ -2,5 +2,6 @@ "format": "vc+sd-jwt", "credential": "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImM5NTBjMGU2ZmRlYjVkZTUwYTUwMDk2YjI0N2FmMDNjIn0.eyJfc2QiOlsiQ1JJQkdpbWhhbE1TSzhLZUxmNzg2N0w4cHV6MEZnRTVaS1VXLW12N0hiYyIsIlhhZjVJZFVGc0UzYWtabEszT0E5d3dHcjJKcVAwUU01M3BBY2hiempRZmMiLCJjR2FuQVdySG9WQVoyalBhNXk0SzE3U0xpYWFKcGRNUF9PdnBmTGx0VWJjIiwiNEFuZU1ZVVAxRWh3emRHdkRQOEhobnRaRGN1ejZrOHhHWVJ0NXo0SHh0SSIsIjRuYTVXSHRMYzdrYnNxdHFVaHd6WXdVdUQtY3hKVmdENmRaLTl0ZUdhZ3MiLCJiZS10a2U3YVU0WmhDNWUxcGZqRjcxUWpFRzRsZG1IaFRoUFl1TnQyOHo0IiwiSnNkaHhTMWRVTTJaN29MUmZYWVJvOFFEaDJ4M1dQNkdILUJnY21DdzJGayIsIlVobXBRSy1HS3hzaHJwXzZwYVpfZzROVG5fX29aeVdOb01zTGNaMUhlMjgiLCJOdDdQU3RxMkEyWkliUHBHdTJpdmVSek9rbWpYUEN1V0RBdy0tdktSQTBjIiwiV3Rtck5JVzFTVkN0UnZNUF9UM2YtRGlhRUdHNS1iVk5rWGJRckowRnpzRSJdLCJleHAiOjE3NDY1MTU5NzIsImlzcyI6Imh0dHBzOi8vZWFhLXByb3ZpZGVyLmlwenMuaXQiLCJzdWIiOiJOemJMc1hoOHVEQ2NkN25vV1hGWkFmSGt4WnNSR0M5WHMiLCJzdGF0dXMiOnsic3RhdHVzX2F0dGVzdGF0aW9uIjp7ImNyZWRlbnRpYWxfaGFzaF9hbGciOiJzaGEtMjU2In19LCJ2Y3QiOiJEaXNhYmlsaXR5Q2FyZCIsIl9zZF9hbGciOiJzaGEtMjU2IiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6InBWVTNqYXR1NGEzdGs5Yzlhb3dWZ0x5QkJfcko3TS0zV2xqazFlalV6MkUiLCJ5IjoiVEw1T052Ui1JZ2FybmdyejVqZHZzcG9mZnpGd2NqUFJ0RlVrZW5lSEVJMCJ9fX0.v9ynFXhKXPOhQSMmuLvIBKRWfPEPDf4QwDoNmDOjMROxr5J4Hshh9mBEM5qohH_PDE62i1TLc36C65jFYa7x3A~WyIwQUx5SzRfUi1aVUpTekVKdW5HTFdRIiwiaWF0IiwiMTc0NzExOTU5NSJd~WyItT25uM29FcGh6TDNncHJUcVF0YUd3IiwiZG9jdW1lbnRfbnVtYmVyIiwiMDAwMDAwMDIiXQ~WyJ2bmtVX2tJV2RSa1dPZzBoNlRYcDd3IiwiZ2l2ZW5fbmFtZSIsIk1hcmlvIl~WyJvRUdnaVZQaXV1dEJVby1wcTd6WURBIiwiZmFtaWx5X25hbWUiLCJSb3NzaSJd~WyJGVU1iQm5hLWhlLUlaWTZkOVZ1UkNBIiwiYmlydGhfZGF0ZSIsIjE5ODAtMDEtMTAiXQ~WyJjQ0ZDeXljV1J4alZINkZURVR5OTd3IiwidGF4X2lkX2NvZGUiLCJSU1NNUkE4MFIwMUg1MDFCIl0~WyJVSEFhaWZ1bzloTW9pbkVDU0loOG9RIiwiZXhwaXJ5X2RhdGUiLCIyMDMwLTAxLTEwIl~WyJ3TW1xYkkzTFRPMDVLajFoLXNpWWhRIiwiY29uc3RhbnRfYXR0ZW5kYW5jZV9hbGxvd2FuY2UiLCIwIl0~WyJBODVjeFI1REZyOElfaFZFQTZqZGNBIiwibGlua19xcl9jb2RlIiwiaHR0cHM6Ly9xci5leGFtcGxlLmNvbSJd~WyJHWHRYNXNueTctVEVpblhZajNMdGdBIiwicG9ydHJhaXQiLCIvOWovNEFBUVNrWkpSZ0FCQVFFQkxBRXNBQUQvNFFCV1JYaHBaZ0FBVFUwQUtnQUFBQWdBQkFFYUFBVUFBQUFCQUFBQVBnRWJBQVVBQUFBQkFBQUFSZ0VvQUFNQUFBQUJBQUlBQUFJVEFBTUFBQUFCQUFFQUFBQUFBQUFBQUFFc0FBQUFBUUFBQVN3QUFBQUIvKzBBTEZCb2IzUnZjMmh2Y0NBekxqQUFPRUpKVFFRRUFBQUFBQUFQSEFGYUFBTWJKVWNjQVFBQUFnQUVBUC9oRElGb2RIUndPaTh2Ym5NdVlXUnZZbVV1WTI5dEwzaGhjQzh4TGpBdkFEdy9lSEJoWTJ0bGRDQmlaV2RwYmowbjc3dS9KeUJwWkQwblZ6Vk5NRTF3UTJWb2FVaDZjbVZUZWs1VVkzcHJZemxrSno4K0NqeDRPbmh0Y0cxbGRHRWdlRzFzYm5NNmVEMG5ZV1J2WW1VNmJuTTZiV1YwWVM4bklIZzZlRzF3ZEdzOUowbHRZV2RsT2pwRmVHbG1WRzl2YkNBeE1DNHhNQ2MrQ2p4eVpHWTZVa1JHSUhodGJHNXpPbkprWmowbmFIUjBjRG92TDNkM2R5NTNNeTV2Y21jdk1UazVPUzh3TWk4eU1pMXlaR1l0YzNsdWRHRjRMVzV6SXljK0Nnb2dQSEprWmpwRVpYTmpjbWx3ZEdsdmJpQnlaR1k2WVdKdmRYUTlKeWNLSUNCNGJXeHVjenAwYVdabVBTZG9kSFJ3T2k4dmJuTXVZV1J2WW1VdVkyOXRMM1JwWm1Zdk1TNHdMeWMrQ2lBZ1BIUnBabVk2VW1WemIyeDFkR2x2YmxWdWFYUStNand2ZEdsbVpqcFNaWE52YkhWMGFXOXVWVzVwZEQ0S0lDQThkR2xtWmpwWVVtVnpiMngxZEdsdmJqNHpNREF2TVR3dmRHbG1aanBZVW1WemIyeDFkR2x2Ymo0S0lDQThkR2xtWmpwWlVtVnpiMngxZEdsdmJqNHpNREF2TVR3dmRHbG1aanBaVW1WemIyeDFkR2x2Ymo0S0lEd3ZjbVJtT2tSbGMyTnlhWEIwYVc5dVBnb0tJRHh5WkdZNlJHVnpZM0pwY0hScGIyNGdjbVJtT21GaWIzVjBQU2NuQ2lBZ2VHMXNibk02ZUcxd1RVMDlKMmgwZEhBNkx5OXVjeTVoWkc5aVpTNWpiMjB2ZUdGd0x6RXVNQzl0YlM4blBnb2dJRHg0YlhCTlRUcEViMk4xYldWdWRFbEVQbUZrYjJKbE9tUnZZMmxrT25OMGIyTnJPamxqTmpabVpUZGxMVFkzWTJRdE5ETTRZeTA1WlRobUxUSXdPREE1TkRObU9UWTJaVHd2ZUcxd1RVMDZSRzlqZFcxbGJuUkpSRDRLSUNBOGVHMXdUVTA2U1c1emRHRnVZMlZKUkQ1NGJYQXVhV2xrT2pSaE16ZzBZVFUxTFdJek1UZ3ROR05rWVMwNE4yVXpMVE14TVRZd00yTmhaVEUzT0R3dmVHMXdUVTA2U1c1emRHRnVZMlZKUkQ0S0lEd3ZjbVJtT2tSbGMyTnlhWEIwYVc5dVBnbzhMM0prWmpwU1JFWStDand2ZURwNGJYQnRaWFJoUGdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQUtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQUtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQUtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBbzhQM2h3WVdOclpYUWdaVzVrUFNkM0p6OCsvOXNBUXdBRkF3UUVCQU1GQkFRRUJRVUZCZ2NNQ0FjSEJ3Y1BDd3NKREJFUEVoSVJEeEVSRXhZY0Z4TVVHaFVSRVJnaEdCb2RIUjhmSHhNWElpUWlIaVFjSGg4ZS85c0FRd0VGQlFVSEJnY09DQWdPSGhRUkZCNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlLzhBQUVRZ0JhQUZvQXdFUkFBSVJBUU1SQWYvRUFCMEFBUUFCQlFFQkFRQUFBQUFBQUFBQUFBQUdBUVVIQ0FrRUFnUC94QUJDRUFFQUFRTUNBZ01OQlFVSEJRQUFBQUFBQVFJREJBVUdCeEVoTVZFSUVoTVVGeUpCVm1GeG9hVFNRb0dSa3NFak1rT0NvaFVXWW5LRHNzSVlObEoxcy8vRUFCWUJBUUVCQUFBQUFBQUFBQUFBQUFBQUFBQUJBdi9FQUJZUkFRRUJBQUFBQUFBQUFBQUFBQUFBQUFBUkFmL2FBQXdEQVFBQ0VRTVJBRDhBM0xBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCNXRTejhMVE1HN25hamwyTVRGczA5OWN2WHJrVVVVUjJ6TTlFQXdudmZ1bHRwNlZjcnh0dDRPVHIxNm5uSGh1ZmdNZm43S3FvbXFyN3FlWHRJTVY2MTNTWEVQTnVUT0JScEdsMGVpTFdOTjJxUHZybVkrQ3dXWHk5Y1ZlLzc3KzgxUHU4UXNjdjloQmV0RjdwTGlIaFhJblBvMGpWS1BURjNHbTFWUDMwVEVmQWd5cHNqdWx0cDZyY294dHlZT1RvTjZybEhodWZoOGZuN2FxWWlxbjc2ZVh0U0RObW01K0ZxZUZhenRPeTdHWGkzcWUrdDNyTnlLNks0N1ltT2lRZWtBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFFTTRyOFJkQzRlYUY0OXFkVTM4dTl6cHc4SzNWRVhMOVVmN2FZOU5VOUVlMmVVQTB2NGs4UXR6YisxT2NyWE15ZkZxS3BuSHdiVXpGaXhIc3A5TlgrS2VjKzdxVVJKUUFBQUJMZUczRUxjMndkVGpLMFBNbnhhdXFKeU1HN016WXZ4N2FmUlYvaWpsUHY2a0c2SENqaUxvWEVQUXZIdE1xbXhsMmVWT1poWEtvbTVZcW4vZFRQb3Fqb24yVHpoQk13QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQVdQZm01OU4yZHRYTzNEcXRmTEh4YU9jVVJQblhhNTZLYUtmYlZQS1BqNkFhRWI4M1ZxKzg5elpXdjZ6ZTcvSXZ6eW90MHo1bGkzSDd0dWlQUlRIeG5uTTlNcUxFb0FBQUFBQXZ1dzkxYXZzemMyTHIralh1OHlMRThxN2RVK1pmdHorOWJyajAwejhKNVRIVENEZmZZZTU5TjNqdFhCM0RwVmZQSHlxT2MwVFBuV3E0NktxS3ZiVFBPUGo2VUY4QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQnFSM1l1OHE5VDNkajdReGJzK0o2VFRGM0ppSjZLOGl1bm5IUC9MUk1mZlhLNE1ES0FBQUFBQUFBTTg5eDF2S3ZUTjNaRzBNcTdQaWVxMHpkeG9tZWlqSW9wNXp5L3pVUlAzMFFtamJkQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCK2VUZHQyTWU1ZnUxZDdidDB6WFZQWkVSemtIT1RjK3JYdGUzSHFXdDVGVXpkejhxNWtWZnpWVE1SOTBjbys1UmJsQUFBQUFBQUFGeDJ4cTE3UWR4NmJyZVBWTVhjREt0NUZQOHRVVE1mZkhPUHZRZEc4YTdidjQ5dS9hcTc2M2NwaXVtZTJKam5DRDlBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQVI3aVhmcXh1SFc1TWlpZVZWdlNzcXFtZmJGcW9ITytpT1ZGTWRrUkRRcUFBQUFBQUFBQ2xjYzZLbzdZbUFkRU9HbCtySjRkYmJ5SzU1MVhOS3hhcXA5czJxV1JJUUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFXWGZtSlZxR3lOZHdhSTUxNUdtNUZxbVBiVmJxaUFjNktPbWltWjdJYUZRQUFBQUFBQUFVcjZLS3Bqc2tIUmZZZUpWcCt5TkN3YTQ1VjQrbTQ5cXFQYlRicGlXUmVnQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQVVxaUppWW1PY0E1NThUZHYzTnJjUU5iMEt1aWFhY1hNcjhEempydFZUMzF1ZnkxUW9qaWdBQUFBQUFBQ1I4TXR2M04wY1FORTBLaWlhcWNyTW84TnlqcXRVejMxeWZ5MHlnNkdVeEVSRVJIS0VGUUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBYTNkMlRzV3UvalltKzlQc3pWT1BUR0xxVVV4L0Q1L3M3ays2Wm1tWi94VTlpNE5ZRkFBQUFBQUFBR3ovY2JiRnJzWTJYdnZVTE0wemtVemk2YkZVZncrZjdTNUh2bUlwai9BQzFkcWFOa1VBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFIbjFIQ3hkUndMK0JuV0tNakZ5TGRWcTlhcmpuVFhSVkhLWW4yVEFOSGVPWEREUDRkN2hud1ZGM0kwSExybWNIS21PZmUrbndWYytpdU8zN1VkUGJFVVk1VUFBQUFBQVpHNEc4TU0vaUp1R1BDMFhjZlFjU3VKenNxSTVkOTZmQlVUL3dDYzl2Mlk2ZXlKZzNpMDdDeGRPd0xHQmcyS01mRng3ZE5xemFvamxUUlJUSEtJajJSQ0QwQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE4RzRORzB2WDlJeU5KMWpDczV1RmtVOTdkczNZNXhWSDZUSFhFeDB4UFVEVTdpMzNQbXZiZXUzdFMyalRlMXZTZWMxZUx4MDVWaU96bC9FajJ4NTNiSHBXakNOeWl1M2NydDNLYXFLNko1VjAxUnlxcG5zbUo2WWxSOGdBQStyZEZkeTVSYnQwMVYxMXp5b3Bwam5WVlBaRVIweklNM2NKTzU4MTdjTjJ6cVc3cWIyaWFUemlyeGVlakt2eDJjdjRjZTJmTzdJOUtVYlk3ZjBiUzlBMGpIMG5SOEt6aFlXUFQzdHF6YWpsRk1mck05Y3pQVE05YUQzZ0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBY3dlRFU5WjBqVEtacTFMVk1IQ3Bqcm5JeUtMY2YxVEFJSnJPQndlNGxabHpGeWIyM2RYejZQTjhKajVWRk9SSHVyb21LcCtNQWhldGR5OXRYSXJtdlNkd2F4cDhUOWk3RkYrbVB4aUorSzBXYi9wV283Ly9BTDVxNzMvMWtjLy9BS0ZGNTBYdVh0cTQ5Y1Y2dHVEV05RaVBzV29vc1V6K0VWVDhTaWFhTmdjSHVHdVpieGNhOXQzU00rdnpmQ1pHVlJWa1Q3NjY1bXFQaENDZDZack9rYW5URldtNnBnNXRNOVU0K1JSY2orbVpCNytZQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFMSnZEZG0zZG82ZC9hRzR0V3h0UHNUUEtqd2xYT3E1UFpSVEhuVlQ3SWlRWWIxM3VvdHM0OTJxalJ0dTZycU1SMVhMMWRHUFRWN284NnJsNzRoWUlacTNkUmJvdmQ5R21iYjBqRXBucW0vZHVYNm8vRHZZSUlocTNIdmlobnhWVFRyOXJDb243T0poMjZPWDMxUlZQeElJanErK041NnZFeHFXNjlieXFaNjZhczJ1S2Z5eE1SOEFSKzVNM0s1cnVmdEtwKzFYNTAvaktpbnBpZlRIVlBZQ1JhUHZuZW1rVVJiMHpkbXQ0dHVPcWlqTnJtbVA1Wm1ZUVhmeXZjVGU4NzMrK3VxOHZmUnovQUI3MGd0R3NiNTNwcTlFMjlUM1pyZVZibnJvcnphNHBuK1dKaUFSMzB6UHBucm50VVZ0ek51dUs3ZjdPcVB0VWViUDR3Q1FhUnZqZWVrUkVhYnV2VzhXbU9xbW5Ocm1uOHN6TWZCQkx0SjQ5OFVNQ0thYXRmdFp0RWVqTHc3ZGZQNzZZcG40a0V2MG51b3QwV2U5alU5dDZSbDB4MXpZdTNMRlUvajMwRUV6MEx1b3RzNUYybWpXZHZhcnAwVDEzTE5kR1JUSDNlYlZ5OTBTUVprMmZ1emJ1N3RPL3REYnVyWTJvV0lubFg0T3JsVmJuc3JwbnpxWjlreENDOWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQWhuR0hmdUR3OTJmZDFqSW9wdjVkeXJ3T0ZqVFZ5OE5kbU9jUlBaVEVkTXoyUjJ6QU5HTjI3ajFuZFd1WHRaMTdPdVptWmRuOTZyb3BvcDlGRkZQVlRUSG9pUGpQU290S2dBQUFBQUFBQUFBQUFBQzdiUzNIck8xZGNzNnpvV2Rjdzh5MVA3MVBUVFhUNmFLNmVxcW1leWZoUFNnM240UGI5d2VJV3o3V3NZOUZOakx0MWVCemNhS3VmZ2JzUnptSTdhWmpwaWV5ZTJKUVRNQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUdtZmRkN2l2YXR4VHEwZUxremk2TmowV2FLWW5vOEpjaUs2NnZmeW1pUDVWd1liVUFBQUFBQUFBQUFBQUFBQUFabDdrVGNWN1NlS2RPanpjbU1YV2NldXpYVE05SGhMY1RYUlY3K1VWeC9NbWpjdEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFucUJvRnh5ditNY1lkMTNPZlZxZHlqOHNSVC94WEJERkFBQUFBQUFBQUFBQUFBQUFFejRHMy9GK01PMUxuUHIxTzNSK2FKcC81Sm8zOWpxUUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUpCenM0aDVIamUvOEFjV1Z6NStGMVhLcWlmOVdwUllsQUFBQUFBQUFBQUFBQUFBQUY5NGVaSGltLzl1NVhQbDRMVmNXcVovMWFVSFJPRUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUZLcGlLWm1laUk2UWMyZFV2VGthbmw1RTlNM2NpNWMvTlhNL3FvOHlnQUFBQUFBQUFBQUFBQUFBRDA2WGVuSDFQRXlJNkp0WkZ1NStXdUovUkIwbXBtSnBpWTZZbnBRVkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQjRkd1gvRmRDejhtWjVSYXhydGY0VVRQNkE1dVVUem9wcW5ybUlsb1ZBQUFBQUFBQUFBQUFBQUFBQlN1ZVZGVlVkY1JNZzZSN2Z2K05hRmdaTVR6aTdqV3EveG9pZjFaSHVBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJIT0tHUkdKdzMzTGs4K1hnOUp5WmlmYjRLb0hQR21PVk1SMlJFTkNvQUFBQUFBQUFBQUFBQUFBQUtWUnpwbU8ySmdIUTdoZmtSbDhOOXRaUFBuNFRTY2FabjIrQ3BaRWpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJCTzZDeVBGdURHNnJrVHk1NmZYYi9OTVUvcURRdWV1V2hRQUFBQUFBQUFBQUFBQUFBQUZZNjRCdnAzUHVSNHp3WTJyY21lZkxUNkxmNVptbjlHUk93QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFZLzdvckN5Yy9ndHViSHhLS3E3bE9MRjJhYVk1ek5OdXVtdXIrbW1RYUh0QUFBQUFBQUFBQUFBQUFBQUFBRGZEdWRjTEp3T0MyMmNmTG9xb3UxWXMzWXBxamxNVTNLNnE2ZjZhb1pHUUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQWZOeWlpN2JxdDNLS2E2S29tS3FhbzV4TVQxeE1BMWI0cGR6ZHFsR3FYdFEySGN4NytGZXFtcU5PdjNmQjEySm43TkZjK2JWVDJSTXhNZFhPVm9nUGtINHErcS93QTlZK3NvZVFmaXI2ci9BRDFqNnloNUIrS3ZxdjhBUFdQcktIa0g0cStxL3dBOVkrc29lUWZpcjZyL0FEMWo2eWg1QitLdnF2OEFQV1ByS0hrSDRxK3Evd0E5WStzb2VRZmlyNnIvQUQxajZ5aDVCK0t2cXY4QVBXUHJLSGtINHErcS93QTlZK3NvZVFmaXI2ci9BRDFqNnloNUIrS3ZxdjhBUFdQcktIa0g0cStxL3dBOVkrc29lUWZpcjZyL0FEMWo2eWg1QitLdnF2OEFQV1ByS0hrSDRxK3Evd0E5WStzb2VRZmlyNnIvQUQxajZ5aWZjTGU1dTFTdlZMT29iOHVZOWpDczFSVk9uV0x2aEs3OHg5bXV1UE5wcDdZaVptZXJuQlJ0SmJvb3RXNmJkdWltaWltSWltbW1PVVJFZFVSQ0Q2QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCLy9aIl0", "c_nonce": "ff_EtUQs0ieiIS1NYNBHEQSoy3ct4gpy-89JKwHilrT", - "c_nonce_expires_in": 86400 + "c_nonce_expires_in": 86400, + "notification_id": "dab8ef51-fb43-43a5-a5c1-247c93ddb942" } \ No newline at end of file diff --git a/examples/ec-eaa.json b/examples/ec-eaa.json index e545e4fa1..767b3e98b 100644 --- a/examples/ec-eaa.json +++ b/examples/ec-eaa.json @@ -91,6 +91,7 @@ "credential_endpoint": "https://eaa-provider.example.org/credential", "revocation_endpoint": "https://eaa-provider.example.org/revoke", "status_attestation_endpoint": "https://eaa-provider.example.org/status", + "notification_endpoint": "https://eaa-provider.example.org/notification", "display": [ { "name": "EAA Provider", diff --git a/examples/notification-request.json b/examples/notification-request.json new file mode 100644 index 000000000..106969109 --- /dev/null +++ b/examples/notification-request.json @@ -0,0 +1,4 @@ +{ + "notification_id": "dab8ef51-fb43-43a5-a5c1-247c93ddb942", + "event": "credential_accepted" +} \ No newline at end of file diff --git a/images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg b/images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg index d4bacd980..d78cbd3e7 100644 --- a/images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg +++ b/images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg @@ -1,2 +1 @@ - -User's smartphoneUserUserBrowserBrowserWallet InstanceWallet InstancePID ProviderPID Provider1obtain your PID2yesobtain the list of the Trusted PID Providers3confirm the selection of PID Provider4okCheck PID Provider is part of the Federation and obtain its metadata5create PKCE code verifier and WIA-PoP6PAR Request (response_type,client_id,code_challenge,code_challenge_method,request,client_assertion_type,client_assertion=WIA~WIA-PoP)Check Wallet Provider is part of the FederationCheck signature of the Wallet Attestation and its validity7PAR Response (request_uri, expires_in)8Authorization Request (client_id, request_uri)9Authorization Request (client_id, request_uri)user authentication with eIDAS High and consent10Authorization Response (code, state, iss)11Authorization Response (code, state, iss)12generate DPoP key13generate DPoP proof and WIA-PoP for PID Provider token endpoint14Token Request with DPoP proof (client_id,grant_type,code,code_verifier,client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation,client_assertion=WIA~WIA-PoP,redirect_uri)15Token Response (access_token, token_type, expires_in, c_nonce, c_nonce_expires_in)16create proof of possession (c_nonce)17create DPoP proof for PID Provider credential endpoint18Credential Request with DPoP access_token and DPoP proof (credential_definition, format, proof)Register all the credential-relatedinformation for verification/revocation19Credential Response (format, credential, c_nonce, c_nonce_expires_in)20PID validity and status check21store credential \ No newline at end of file +User's smartphoneUserUserBrowserBrowserWallet InstanceWallet InstancePID/(Q)EAA ProviderPID/(Q)EAA Provider1obtain your Digital Credential2yesObtain the list of the Trusted PID/(Q)EAA Providers3confirm the selection of PID/(Q)EAA Provider4okCheck PID/(Q)EAA Provider is part of the Federation and obtain its metadata5create PKCE code verifier and WIA-PoP6PAR Request (response_type,client_id,code_challenge,code_challenge_method,request,client_assertion_type,client_assertion=WIA~WIA-PoP)Check Wallet Provider is part of the FederationCheck signature of the Wallet Attestation and its validity7PAR Response (request_uri, expires_in)8Authorization Request (client_id, request_uri)9Authorization Request (client_id, request_uri)alt[Credential == PID]user authentication with national eIDAS notified Schemes and consent[Credential == (Q)EAA)]user authentication with PID and consent10Authorization Response (code, state, iss)11Authorization Response (code, state, iss)12generate DPoP key13generate DPoP proof and WIA-PoP for PID/(Q)EAA Provider token endpoint14Token Request with DPoP proof (client_id,grant_type,code,code_verifier,client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation,client_assertion=WIA~WIA-PoP,redirect_uri)15Token Response (access_token, token_type, expires_in, c_nonce, c_nonce_expires_in)16create proof of possession (c_nonce)17create DPoP proof for PID/(Q)EAA Provider credential endpoint18Credential Request with DPoP access_token and DPoP proof (credential_definition, format, proof)alt[Credential is available]19Credential Response (format, credential, c_nonce, c_nonce_expires_in, notification_id)20PID/(Q)EAA validity and status check21store credential22Notification Request HTTP POST /notification (notification_id, event)Register all the credential-relatedinformation for verification/revocation23Notification Response HTTP 204 No Content[Credential is NOT available]24Credential Response (lead_time, c_nonce, c_nonce_expires_in)The Wallet Instance, after an amount of time specified by lead_time and when triggered by the User, starts the flow again \ No newline at end of file From f019b4f6f87d6ac972030ff4ddea01b1beb8fbda Mon Sep 17 00:00:00 2001 From: fmarino-ipzs Date: Tue, 6 Aug 2024 03:24:53 +0200 Subject: [PATCH 02/21] feat: added auth source interaction with pdnd modi --- docs/common/common_definitions.rst | 4 ++- docs/common/standards.rst | 4 +++ docs/en/authentic-sources.rst | 40 ++++++++++++++++++++++++++++++ docs/en/index.rst | 1 + 4 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 docs/en/authentic-sources.rst diff --git a/docs/common/common_definitions.rst b/docs/common/common_definitions.rst index 00e10e858..08af0f12b 100644 --- a/docs/common/common_definitions.rst +++ b/docs/common/common_definitions.rst @@ -64,4 +64,6 @@ .. _OAUTH-ATTESTATION-CLIENT-AUTH: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/03/ .. _Key Attestation: https://developer.android.com/privacy-and-security/security-key-attestation#attestation-v4 .. _Device Check: https://developer.apple.com/documentation/devicecheck -.. _attestKey: https://developer.apple.com/documentation/devicecheck/dcappattestservice/attestkey:clientdatahash:completionhandler: +.. _attestKey: https://developer.apple.com/documentation/devicecheck/dcappattestservice/attestkey:clientdatahash:completionhandler +.. _MODI: https://www.agid.gov.it/sites/agid/files/2024-05/linee_guida_interoperabilit_tecnica_pa.pdf +.. _PDND: https://www.agid.gov.it/sites/agid/files/2024-06/Linee_guida_infrastruttura_interoperabilita_pdnd.pdf diff --git a/docs/common/standards.rst b/docs/common/standards.rst index 6fe61138e..8465946a3 100644 --- a/docs/common/standards.rst +++ b/docs/common/standards.rst @@ -75,3 +75,7 @@ Technical References - Looker, T., Bastian, P., "OAuth 2.0 Attestation-Based Client Authentication". * - USASCII - American National Standards Institute, "Coded Character Set -- 7-bit American Standard Code for Information Interchange", 1986. + * - `MODI`_ + - "Linee Guida sull'interoperabilità tecnica delle Pubbliche Amministrazioni", November 2023, Version 1.2. + * - `PDND`_ + - "Linee Guida sull'infrastruttura tecnologica della Piattaforma Digitale Nazionale Dati per l'interoperabilità dei sistemi informativi e delle basi di dati", December 2021, Version 1.0. diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst new file mode 100644 index 000000000..f363b648f --- /dev/null +++ b/docs/en/authentic-sources.rst @@ -0,0 +1,40 @@ +.. include:: ../common/common_definitions.rst + + +Authentic Sources ++++++++++++++++++++ + +Authentic Sources are responsible for the authenticity of the User's attributes provided as Digital Credentials by the PID/(Q)EAA Provider. During the Issuance Flow, PID/(Q)EAA Providers, after authenticating the User, request from Authentic Sources the attributes required to provide the credential requested by the User. If PID/(Q)EAA Providers and Authentic Sources are both allowed to use PDND, the communication between them MUST be done in compliance with [`MODI`_] and [`PDND`_] according to the following rules. In particular, + + - The Authentic Source MUST provide an e-service registered within the PDND catalogue which the PID/(Q)EAA Provider, as the recipient, MUST use to request the User's attributes. + - In case of unavailability of the User's attributes, the Authentic Source MUST provide a response to the PID/(Q)EAA Provider with an estimation time when a new request can be sent. + - The PID(Q)EAA Provider MUST provide to the Authentic Source an evidence that + + - the request for User attributes is related to a request by a User and regarding data of which he/she is the holder. + - the request for User attributes comes from a valid and authentic Wallet Instance. + + - The PID/(Q)EAA Provider MUST make available to the Authentic Source an e-service for notifications on attributes availability and validity status (revocation or updates). The Authentic Source MUST use this e-service to send the PID/(Q)EAA Provider both notifications on the availability of the User's attributes as well as those relating to the attributes validity status. + - The protocol flow MUST ensure integrity, authenticity, and non-repudiation of the exchanged data between the Authentic Source and the PID/(Q)EAA Provider. + - The e-services MUST be implemented in REST. SOAP protocol MUST NOT be used. + + + +Security Patterns +---------------------- + +The following security patterns and profiles are applicable: + + - **[REST_JWS_2021_POP]** JWS POP Voucher Issuing Profile (*Annex 3 - Standards and technical details used for Voucher Authorization* [`PDND`_]): REQUIRED. It adds a proof of possession on the Voucher. The client using the Voucher to access an e-service MUST give proof of possession of the private key whose public is attested on the Voucher. + + - **[ID_AUTH_REST_02]** Client Authentication with X.509 certificate with uniqueness of the token/message (*Annex 2 - Security Pattern *[`MODI`_]): REQUIRED. It guarantees trust between the Authentic Source and the PID/(Q)EAA Provider and provides a mitigation against replay attacks. + + - **[INTEGRITY_REST_01]** REST message payload integrity (*Annex 2 - Security Pattern* [`MODI`_]): REQUIRED. It adds message payload integrity of the HTTP POST request. + + - **[AUDIT_REST_02]** submission of audit data within the request (*Annex 2 - Security Pattern* [`MODI`_]): OPTIONAL. The Authentic Source MAY request an evidence about the User Authentication related to the User's attributes requested by the PID/(Q)EAA Provider and/or a proof that the Wallet Instance is valid and authentic. In this case this pattern MUST be used. + + - **[PROFILE_NON_REPUDIATION_01]** Profile for non-repudiation of transmission (*Annex 3 - Interoperability Profile* [`MODI`_]): REQUIRED. This profile uses the following security patterns: + + - **ID_AUTH_CHANNEL_01** or **ID_AUTH_CHANNEL_02** + - **ID_AUTH_REST_02** + - **INTEGRITY_REST_01** + diff --git a/docs/en/index.rst b/docs/en/index.rst index b4948f0b4..36c62995e 100644 --- a/docs/en/index.rst +++ b/docs/en/index.rst @@ -42,6 +42,7 @@ Index of content pid-eaa-data-model.rst pid-eaa-issuance.rst pid-eaa-entity-configuration.rst + authentic-sources.rst relying-party-solution.rst relying-party-entity-configuration.rst revocation-lists.rst From e3be6562683b367c6d852fab6338982d61449869 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs Date: Tue, 6 Aug 2024 03:29:11 +0200 Subject: [PATCH 03/21] fix: aud parameter --- docs/en/pid-eaa-issuance.rst | 2 +- docs/en/revocation-lists.rst | 4 ++-- examples/at-dpop-payload.json | 2 +- examples/credential-jwt-proof-payload.json | 2 +- examples/request-object-payload.json | 2 +- examples/wa-pop-payload.json | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index bb9ecad87..21c9c2cd3 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -848,7 +848,7 @@ The JOSE header of a **DPoP JWT** MUST contain the following claims. - The identifier for the Wallet Instance that requested the Access Token; it MUST be equal to the to kid of the public key of the Wallet Instance specified into the Wallet Attestation (``cnf.jwk``). - [:rfc:`9068`], [:rfc:`7519`] and Section 8 of [`OIDC`_]. * - **aud** - - It MUST be set to the URL of Credential Endpoint of the PID/(Q)EAA Provider. + - It MUST be set to the identifier of the PID/(Q)EAA Provider. - [:rfc:`9068`]. * - **iat** - UNIX Timestamp with the time of JWT issuance, coded as NumericDate as indicated in :rfc:`7519`. diff --git a/docs/en/revocation-lists.rst b/docs/en/revocation-lists.rst index a37ace2fc..eb1f7d741 100644 --- a/docs/en/revocation-lists.rst +++ b/docs/en/revocation-lists.rst @@ -156,7 +156,7 @@ Below, is given a non-normative example of a Credential PoP with decoded JWT hea . { "iss": "0b434530-e151-4c40-98b7-74c75a5ef760", - "aud": "https://pid-provider.example.org/revoke", + "aud": "https://pid-provider.example.org", "iat": 1698744039, "exp": 1698744139, "jti": "6f204f7e-e453-4dfd-814e-9d155319408c", @@ -486,7 +486,7 @@ The Credential Proof of Possession (**credential_pop**) MUST be a JWT that MUST - Thumbprint of the JWK in the ``cnf`` parameter of the Wallet Attestation. - :rfc:`9126` and :rfc:`7519`. * - **aud** - - It MUST be set to the Issuer endpoint at which the JWT is used. + - It MUST be set to the identifier of the Issuer. - :rfc:`9126` and :rfc:`7519`. * - **exp** - UNIX Timestamp with the expiry time of the JWT. diff --git a/examples/at-dpop-payload.json b/examples/at-dpop-payload.json index d8e41ed0c..502da9a28 100644 --- a/examples/at-dpop-payload.json +++ b/examples/at-dpop-payload.json @@ -1,7 +1,7 @@ { "iss": "https://eaa-provider.example.org", "sub": "d4e0bb387aa2556ff306925fdfb9a765", - "aud": "https://eaa-provider.example.org/credential", + "aud": "https://eaa-provider.example.org", "iat": 1715842560, "exp": 1778914560, "jti": "f9655ceb-c65c-4025-9378-b6672b6149bg", diff --git a/examples/credential-jwt-proof-payload.json b/examples/credential-jwt-proof-payload.json index 2c38703d6..76bdbe5fb 100644 --- a/examples/credential-jwt-proof-payload.json +++ b/examples/credential-jwt-proof-payload.json @@ -1,6 +1,6 @@ { "iss": "47b982369791d08003a7283f059cb0d1", - "aud": "https://eaa-provider.example.org/credential", + "aud": "https://eaa-provider.example.org", "iat": 1705570055, "nonce": "ts_EtUQs0ieiIS1NYNBHEQSoy3ct4gpy-4FZKwHilkY" } \ No newline at end of file diff --git a/examples/request-object-payload.json b/examples/request-object-payload.json index 5a4b5a7a7..a6a2d0a67 100644 --- a/examples/request-object-payload.json +++ b/examples/request-object-payload.json @@ -1,6 +1,6 @@ { "jti": "f8555ceb-c65c-4025-9378-b6672b6149af", - "aud": "https://eaa-provider.example.org/as/par", + "aud": "https://eaa-provider.example.org", "iat": 1715842560, "exp": 1715842860, "response_type": "code", diff --git a/examples/wa-pop-payload.json b/examples/wa-pop-payload.json index 466d2e0f0..d700ea868 100644 --- a/examples/wa-pop-payload.json +++ b/examples/wa-pop-payload.json @@ -1,6 +1,6 @@ { "iss": "47b982369791d08003a7283f059cb0d1", - "aud": "https://eaa-provider.example.org/as/par", + "aud": "https://eaa-provider.example.org", "iat": 1715842560, "exp": 1778914560, "jti": "f8555ceb-c65c-4025-9378-b6672b6149af" From 315e214fa95785f9626852d0e7dbebe486256d3b Mon Sep 17 00:00:00 2001 From: fmarino-ipzs Date: Tue, 6 Aug 2024 03:33:35 +0200 Subject: [PATCH 04/21] feat: auth server in the issuer metadata --- docs/en/pid-eaa-entity-configuration.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/en/pid-eaa-entity-configuration.rst b/docs/en/pid-eaa-entity-configuration.rst index 3c03b8df4..3579fdd71 100644 --- a/docs/en/pid-eaa-entity-configuration.rst +++ b/docs/en/pid-eaa-entity-configuration.rst @@ -89,6 +89,8 @@ The *openid_credential_issuer* metadata MUST contain the following claims. - It MUST be an HTTPs URL indicating the endpoint where the Wallet Instances can request Status Attestations. See Section :ref:`Credential Lifecycle` for more details. * - **notification_endpoint** - It MUST be an HTTPs URL indicating the notification endpoint. See Section 11.2.3 of [`OpenID4VCI`_]. + * - **authorization_servers** + - OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [:rfc:`8414`]) the PID/(Q)EAA Provider relies on for authorization. If this parameter is omitted, the entity providing the PID/(Q)EAA Provider is also acting as the Authorization Server. * - **display** - See `OpenID4VCI` Draft 13 Section 11.2.3. Array of objects containing display language properties. The parameters that MUST be included are: From e610e3b3fe30da991e3fe3dd14fffdf4de337a19 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 09:31:33 +0200 Subject: [PATCH 05/21] Update docs/en/authentic-sources.rst Co-authored-by: m-basili --- docs/en/authentic-sources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index f363b648f..70f3f6668 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -8,7 +8,7 @@ Authentic Sources are responsible for the authenticity of the User's attributes - The Authentic Source MUST provide an e-service registered within the PDND catalogue which the PID/(Q)EAA Provider, as the recipient, MUST use to request the User's attributes. - In case of unavailability of the User's attributes, the Authentic Source MUST provide a response to the PID/(Q)EAA Provider with an estimation time when a new request can be sent. - - The PID(Q)EAA Provider MUST provide to the Authentic Source an evidence that + - The PID/(Q)EAA Provider MUST provide to the Authentic Source an evidence that - the request for User attributes is related to a request by a User and regarding data of which he/she is the holder. - the request for User attributes comes from a valid and authentic Wallet Instance. From 8bb853987b21d6ae31382ca0b62c11f70603f464 Mon Sep 17 00:00:00 2001 From: Marco Basili Date: Tue, 6 Aug 2024 10:31:36 +0200 Subject: [PATCH 06/21] chore: added link reference --- docs/en/pid-eaa-issuance.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index 21c9c2cd3..ba4bdaa4e 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -412,7 +412,7 @@ Upon receipt of the notification (by the Wallet Instance and/or by the PID/(Q)EA If the *lead_time* parameter is less than the expiration time of the Access Token, the Wallet Instance MAY use it along with the *c_nonce* provided in the Credential Response to perform a new Credential Request without requiring the User to submit a new authentication request. -In the case where the Authentic Source and the PID/(Q)EAA Provider are both enabled to use *PDND*, what is described in Section ... MUST apply. +In the case where the Authentic Source and the PID/(Q)EAA Provider are both enabled to use *PDND*, what is described in Section :ref:`Authentic Sources` MUST apply. Pushed Authorization Request Endpoint ------------------------------------- From 71e5d5772702b494788b1b890a92ebd1de827387 Mon Sep 17 00:00:00 2001 From: Marco Basili Date: Tue, 6 Aug 2024 11:55:12 +0200 Subject: [PATCH 07/21] chore: update issuance sequence diagram --- docs/en/pid-eaa-issuance.rst | 4 ++-- images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index ba4bdaa4e..e35aa829f 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -98,7 +98,7 @@ The PID/(Q)EAA Provider MUST use *OAuth 2.0 Authorization Server* based on :rfc: .. figure:: ../../images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg :figwidth: 100% :align: center - :target: https://www.plantuml.com/plantuml/svg/bPRVRo8t4CVV_LUCSWy5QL6ggaz8EHr9w0NrbD24KruY8MTtW6aMc_e777tetzwn3RicaBH1aRBOy-Fhpynu-MATDCulQo6zqyeldz48iU8rAcabbOEpxnRD6KWBNeXd_ICj_6J1BjbgjT0Ap-3JDvelt6NjyT3tqkXDuouFznvbNQE3aM89giHein6eAk0ihpICHzVddJ-wmy40naQlgTh59C6V3VG-W--3VdQI56orDt1DStAoXYk35If7iXOUUcotwSCMhH16QOUWrsXW0vyURqQJeRXB0Tm2eIRhGC_YyyHuwx224o9iq1j3iOpUPnPHQZKZiuoE5cii7Md5aKvv2-5P4YlIBuU22cAYewytaw_tm-6jk5fW-N8g0905vjGe_GrvKSQCKbLx8EGiBD79IZgPwuM00rYoGUaGnhzV3Lb-XS0QQ4PeOf37qQ0trkETFR7zU70Fz_YNH-kWywG03DgLLXQdRhl28goKDQ5oKwhIDmuwBHUXtcgE9vQcB6-Xax59aVCmqbequLI72VAT2vRvpqxga-f2ZlCKpDHy_mVapi7IN4dd3UvCzX46pg5rBVC0UorhgiXj8QCjABLVmoyXWyxkl5Dlg03yiIAcEINLJOqTEblsOU2PZw6_OvuMVeiPiZ1TuMNqf0yx2bcxR6RWuYAqtG7Cmk_7nTlG8fmW69SfmuRS0bHyPdSSNGyUW9r3ErNmK2vmYJPoAiFfbMi9OMtnLUhKxTsFfcV5RwHGrRuEJEW8JbEIq9m5XAhoFxAs0Rhva5CxONDKQ7W3hhazuGMtR-wjZDQpVEvWfit9qNVw1HNmaLQQ-93PV4vufwrrG9B7xXpFvzn8vRBPqbKsfFlBuEs1lF16zGdThCyZ99UshqDL-icsrzZsWct_puthxNVQqU7WxuxqxcQeo60PM_Kf30WbXkd4UIraMQArquYeIAIYqdp02YYdIgiIcuTfDdt7rsEYntyhRIr73zNlx3oZ-Q5zXlpD4fPjjxTrRCgOpS9nBVCJndR9Azp6dLOu8qKHSP2nbAv8LiUpJXRaMb8jdsi4qTBDR3B4-s1jhdU15hjR8CqfDrv6E6FJNfryfZXCta8PBk3Ct3fjC4kSCRlDaZJKRYQJCOpl7YPmhlBzpYj91U2Q8tR5gPV7vRVlGt6FSxAELsLTWrla8de6Q-cm0a4giU6WiV8SfSboRd2jT-dRjqF6EZz0IpkUu9UVV-LjkDBASKfnT66IXTkxILl3_oXWZRAQEbhY-uEGi_05YSa2uTKljmBaB49H89VQg_GMvSXWLrYcg_zv2qt2MDlD0XKuG_CvchGVU8QVbl4IDSx6XLcjDo3dajIhQvm_N_Z1B-j_0G00 + :target: https://www.plantuml.com/plantuml/svg/hPRVJoCt4CVV_LUCk8S6QIEggaz8Txe0wH7r12dan4kbbTcTP4TixAqzJYxzwsklazW9eLUa8WGRUtvy_PaPRpvRbeRTiXNIiLPk-On6YCwlKKMTL0ndtooQCv0Md13F-djS-Cc2NNghhj4Ap-33LreqVDKwFFIzCdgzTvU7Uq-oRP5Xehm4LM5linQeQl1PZZHC9pSNWp_EnwCHJ8rUKRsDISB_h67u2Tmbw6UMf62ZdO4RMX3B5guDrgYOP2iS3BtT-X8sQ8KmIZE2Ng61DNnukftCnk8-1k06eINBeEVzyymuorZ32H4swEr3UHd3Jrv4fTMSpB9tjDXYnQILZtJAMmZd9Nb5-kLGK46UwEJBxUpBmtXy9wuRh5vE1G2ou3djbVw6Vb7s6QMgTq28BIoHPIrPvdeXu00lsQ1aXEdlrsCllqRm6cXEQFeWJvFHSAgdMtlozjFH0ppWNmujm-1F1M3GTbfPB7dJOH5MgfPGSKbr_EI3bbKJwgqMU6AfzF8Q7OrDZ7mE_iEQk87xaUDcUDr778wO_MOwubkRGJ9iQtcBqcF90P_26zlnlw3TEbXQACdEuCva6-5OOi2_aYtLn1l8-0kA3Rad6Y72O4kWT8OAmEyT6RGbgVFOwg7NvIM4Ssj3V_TvKZaIUCZ2d0idUqzwjwEGBMTJ11y_XaOyW5cutG0v6vh69mZ6LPyXrb3rpzuT9pUZH_3EeS5gUAmQNABjELNXz8eJ8Mmj7gME_N_-tlHUyHifLBshWoTq32UL9BHh0Q6g_XzPkmUwVfTJcha5gj1E23UXKLzmy-PUPxIUvvC8SsrENWQiNr01ghhJf5Xa4plpEwdM0KaUU_1wOXT6Aix6MTVPsEwkXx1Yi2Q3LMoM_tra1KKcyGGvMrbLQ6tP7xc89uzoiu4fe2gLLXNk7yfycbvTW966_-sqjJvw43pOUlRcH_O9uPibgLBtfhhiov9w-qHjiXD6Rdd5KjoonZaf2W2B86CfkOXMhsUNBCYLf5O-jmWYqSrj4k9Ti9JhNu4MSQgtS-SRAIUSsAIhC9mfbDvPgCA5cfbRrWQpn1cpkop9djhjR3Q5wVtZ32vKlZyuabG0hb35TqiYFUf9nnOJfruJLr-_ZSK3BiYoNvLj2zpayeO6MybOWo0LgCNa_Wbyb7t-2uChlHMMtWDP5VAZfJhqP_lbvr_zDbnhnQXOfAinLVRkVfQg-uFIjYZhacc9FnYHZ8KhICmQXADlRGN8UGz5WLngf-BxqaS6ss4LB_dd3UmJzbLVDwY03IqMQE9-u1c-LlRNfM7RBynRlGQvaAGEB-pF_ezRjly0 PID/(Q)EAA Issuance - Detailed flow @@ -957,7 +957,7 @@ Credential Response Credential Response to the Wallet Instance MUST be sent using `application/json` media type. If the Credential Request is successfully validated, and the Credential is immediately available, the PID/(Q)EAA Provider MUST return HTTP response with a *200 (OK)* status code. If the Credential is not available and the deferred flow is supported by the PID/(Q)EAA Provider, an HTTP status code *202* MUST be returned. -The Credential Reaponse contains the following parameters: +The Credential Response contains the following parameters: .. _table_credential_response_claim: .. list-table:: diff --git a/images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg b/images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg index d78cbd3e7..90dd9849b 100644 --- a/images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg +++ b/images/Low-Level-Flow-ITWallet-PID-QEAA-Issuance.svg @@ -1 +1 @@ -User's smartphoneUserUserBrowserBrowserWallet InstanceWallet InstancePID/(Q)EAA ProviderPID/(Q)EAA Provider1obtain your Digital Credential2yesObtain the list of the Trusted PID/(Q)EAA Providers3confirm the selection of PID/(Q)EAA Provider4okCheck PID/(Q)EAA Provider is part of the Federation and obtain its metadata5create PKCE code verifier and WIA-PoP6PAR Request (response_type,client_id,code_challenge,code_challenge_method,request,client_assertion_type,client_assertion=WIA~WIA-PoP)Check Wallet Provider is part of the FederationCheck signature of the Wallet Attestation and its validity7PAR Response (request_uri, expires_in)8Authorization Request (client_id, request_uri)9Authorization Request (client_id, request_uri)alt[Credential == PID]user authentication with national eIDAS notified Schemes and consent[Credential == (Q)EAA)]user authentication with PID and consent10Authorization Response (code, state, iss)11Authorization Response (code, state, iss)12generate DPoP key13generate DPoP proof and WIA-PoP for PID/(Q)EAA Provider token endpoint14Token Request with DPoP proof (client_id,grant_type,code,code_verifier,client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation,client_assertion=WIA~WIA-PoP,redirect_uri)15Token Response (access_token, token_type, expires_in, c_nonce, c_nonce_expires_in)16create proof of possession (c_nonce)17create DPoP proof for PID/(Q)EAA Provider credential endpoint18Credential Request with DPoP access_token and DPoP proof (credential_definition, format, proof)alt[Credential is available]19Credential Response (format, credential, c_nonce, c_nonce_expires_in, notification_id)20PID/(Q)EAA validity and status check21store credential22Notification Request HTTP POST /notification (notification_id, event)Register all the credential-relatedinformation for verification/revocation23Notification Response HTTP 204 No Content[Credential is NOT available]24Credential Response (lead_time, c_nonce, c_nonce_expires_in)The Wallet Instance, after an amount of time specified by lead_time and when triggered by the User, starts the flow again \ No newline at end of file +User's smartphoneUserUserBrowserBrowserWallet InstanceWallet InstancePID/(Q)EAA ProviderPID/(Q)EAA Provider1obtain your Digital Credential2yesObtain the list of the Trusted PID/(Q)EAA Providers3confirm the selection of PID/(Q)EAA Provider4okCheck PID/(Q)EAA Provider is part of the Federation and obtain its metadata5create PKCE code verifier and WIA-PoP6PAR Request (response_type,client_id,code_challenge,code_challenge_method,request)with OAuth-Client-Attestation and OAuth-Client-Attestation-PoP in the HeaderCheck Wallet Provider is part of the FederationCheck signature of the Wallet Attestation and its validity7PAR Response (request_uri, expires_in)8Authorization Request (client_id, request_uri)9Authorization Request (client_id, request_uri)alt[Credential == PID]user authentication with national eIDAS notified Schemes and consent[Credential == (Q)EAA)]user authentication with PID and consent10Authorization Response (code, state, iss)11Authorization Response (code, state, iss)12generate DPoP key13generate DPoP proof and WIA-PoP for PID/(Q)EAA Provider token endpoint14Token Request with DPoP proof (client_id,grant_type,code,code_verifier,redirect_uri)with OAuth-Client-Attestation and OAuth-Client-Attestation-PoP in the Header15Token Response (access_token, token_type, expires_in, c_nonce, c_nonce_expires_in)16create proof of possession (c_nonce)17create DPoP proof for PID/(Q)EAA Provider credential endpoint18Credential Request with DPoP access_token and DPoP proof (credential_definition, format, proof)alt[Credential is available]19Credential Response (format, credential, c_nonce, c_nonce_expires_in, notification_id)20PID/(Q)EAA validity and status check21store credential22Notification Request HTTP POST /notification (notification_id, event)with DPoP Access TokenRegister all the credential-relatedinformation for verification/revocation23Notification Response HTTP 204 No Content[Credential is NOT available]24Credential Response (lead_time, c_nonce, c_nonce_expires_in)The Wallet Instance, after an amount of time specified by lead_time and when triggered by the User, starts the flow again \ No newline at end of file From 5e3715b87225c180581d25eba3566438f51661fb Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:04:26 +0200 Subject: [PATCH 08/21] Update docs/en/authentic-sources.rst Co-authored-by: Giuseppe De Marco --- docs/en/authentic-sources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index 70f3f6668..c18d3a934 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -4,7 +4,7 @@ Authentic Sources +++++++++++++++++++ -Authentic Sources are responsible for the authenticity of the User's attributes provided as Digital Credentials by the PID/(Q)EAA Provider. During the Issuance Flow, PID/(Q)EAA Providers, after authenticating the User, request from Authentic Sources the attributes required to provide the credential requested by the User. If PID/(Q)EAA Providers and Authentic Sources are both allowed to use PDND, the communication between them MUST be done in compliance with [`MODI`_] and [`PDND`_] according to the following rules. In particular, +Authentic Sources are responsible for the authenticity of the User's attributes provided as Digital Credentials by the PID/(Q)EAA Provider. During the Issuance Flow, PID/(Q)EAA Providers, after authenticating the User, request from Authentic Sources the attributes required to provide the requested Credential. If PID/(Q)EAA Providers and Authentic Sources are both allowed to use PDND, the communication between them is accomplished in compliance with [`MODI`_] and [`PDND`_] and according to the rules defined within this specification. In particular, - The Authentic Source MUST provide an e-service registered within the PDND catalogue which the PID/(Q)EAA Provider, as the recipient, MUST use to request the User's attributes. - In case of unavailability of the User's attributes, the Authentic Source MUST provide a response to the PID/(Q)EAA Provider with an estimation time when a new request can be sent. From 7a42ab62f586b2fbb82067a71d173e48ae44a33b Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:04:42 +0200 Subject: [PATCH 09/21] Update docs/en/authentic-sources.rst Co-authored-by: Giuseppe De Marco --- docs/en/authentic-sources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index c18d3a934..baefb6a96 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -10,7 +10,7 @@ Authentic Sources are responsible for the authenticity of the User's attributes - In case of unavailability of the User's attributes, the Authentic Source MUST provide a response to the PID/(Q)EAA Provider with an estimation time when a new request can be sent. - The PID/(Q)EAA Provider MUST provide to the Authentic Source an evidence that - - the request for User attributes is related to a request by a User and regarding data of which he/she is the holder. + - the request for Users attributes is related to data about themselves. - the request for User attributes comes from a valid and authentic Wallet Instance. - The PID/(Q)EAA Provider MUST make available to the Authentic Source an e-service for notifications on attributes availability and validity status (revocation or updates). The Authentic Source MUST use this e-service to send the PID/(Q)EAA Provider both notifications on the availability of the User's attributes as well as those relating to the attributes validity status. From 84b7406e884a7ca093a7481eb09d66fe3d2acc46 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:08:22 +0200 Subject: [PATCH 10/21] Update docs/en/authentic-sources.rst Co-authored-by: Giuseppe De Marco --- docs/en/authentic-sources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index baefb6a96..619185478 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -11,7 +11,7 @@ Authentic Sources are responsible for the authenticity of the User's attributes - The PID/(Q)EAA Provider MUST provide to the Authentic Source an evidence that - the request for Users attributes is related to data about themselves. - - the request for User attributes comes from a valid and authentic Wallet Instance. + - the request for User attributes comes from a valid Wallet Instance. - The PID/(Q)EAA Provider MUST make available to the Authentic Source an e-service for notifications on attributes availability and validity status (revocation or updates). The Authentic Source MUST use this e-service to send the PID/(Q)EAA Provider both notifications on the availability of the User's attributes as well as those relating to the attributes validity status. - The protocol flow MUST ensure integrity, authenticity, and non-repudiation of the exchanged data between the Authentic Source and the PID/(Q)EAA Provider. From f22864da2d4177735c831f5cbe5b659c61f7175a Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:08:35 +0200 Subject: [PATCH 11/21] Update docs/en/authentic-sources.rst Co-authored-by: Giuseppe De Marco --- docs/en/authentic-sources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index 619185478..f322bc2f8 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -13,7 +13,7 @@ Authentic Sources are responsible for the authenticity of the User's attributes - the request for Users attributes is related to data about themselves. - the request for User attributes comes from a valid Wallet Instance. - - The PID/(Q)EAA Provider MUST make available to the Authentic Source an e-service for notifications on attributes availability and validity status (revocation or updates). The Authentic Source MUST use this e-service to send the PID/(Q)EAA Provider both notifications on the availability of the User's attributes as well as those relating to the attributes validity status. + - The PID/(Q)EAA Provider MUST make available to the Authentic Source an e-service for notifications on attributes availability and validity status (revocation or updates). The Authentic Source MUST use this e-service to notify to the PID/(Q)EAA Provider the notifications on the availability of the User's attributes as well as those relating to the attributes updates. - The protocol flow MUST ensure integrity, authenticity, and non-repudiation of the exchanged data between the Authentic Source and the PID/(Q)EAA Provider. - The e-services MUST be implemented in REST. SOAP protocol MUST NOT be used. From d36d7fd162e0952c087076a675e8d79002ff1c91 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:10:27 +0200 Subject: [PATCH 12/21] Update docs/en/authentic-sources.rst Co-authored-by: Giuseppe De Marco --- docs/en/authentic-sources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index f322bc2f8..7aa856379 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -24,7 +24,7 @@ Security Patterns The following security patterns and profiles are applicable: - - **[REST_JWS_2021_POP]** JWS POP Voucher Issuing Profile (*Annex 3 - Standards and technical details used for Voucher Authorization* [`PDND`_]): REQUIRED. It adds a proof of possession on the Voucher. The client using the Voucher to access an e-service MUST give proof of possession of the private key whose public is attested on the Voucher. + - **[REST_JWS_2021_POP]** JWS POP Voucher Issuing Profile (*Annex 3 - Standards and technical details used for Voucher Authorization* [`PDND`_]): REQUIRED. It adds a proof of possession on the Voucher. The client using the Voucher to access an e-service MUST demonstrate the proof of possession of the private key whose public is attested on the Voucher. - **[ID_AUTH_REST_02]** Client Authentication with X.509 certificate with uniqueness of the token/message (*Annex 2 - Security Pattern *[`MODI`_]): REQUIRED. It guarantees trust between the Authentic Source and the PID/(Q)EAA Provider and provides a mitigation against replay attacks. From 94c5a83aef634351850d932824f6f35c82560115 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:10:39 +0200 Subject: [PATCH 13/21] Update docs/en/authentic-sources.rst Co-authored-by: Giuseppe De Marco --- docs/en/authentic-sources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index 7aa856379..3851734d3 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -30,7 +30,7 @@ The following security patterns and profiles are applicable: - **[INTEGRITY_REST_01]** REST message payload integrity (*Annex 2 - Security Pattern* [`MODI`_]): REQUIRED. It adds message payload integrity of the HTTP POST request. - - **[AUDIT_REST_02]** submission of audit data within the request (*Annex 2 - Security Pattern* [`MODI`_]): OPTIONAL. The Authentic Source MAY request an evidence about the User Authentication related to the User's attributes requested by the PID/(Q)EAA Provider and/or a proof that the Wallet Instance is valid and authentic. In this case this pattern MUST be used. + - **[AUDIT_REST_02]** submission of audit data within the request (*Annex 2 - Security Pattern* [`MODI`_]): OPTIONAL. The Authentic Source MAY request an evidence about the User Authentication related to the User's attributes requested by the PID/(Q)EAA Provider and/or a proof that the Wallet Instance is valid. In this case this pattern MUST be used. - **[PROFILE_NON_REPUDIATION_01]** Profile for non-repudiation of transmission (*Annex 3 - Interoperability Profile* [`MODI`_]): REQUIRED. This profile uses the following security patterns: From 6423f40de9a11768aeb4cc79be7d84c336b5db83 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:11:23 +0200 Subject: [PATCH 14/21] Update docs/en/pid-eaa-issuance.rst Co-authored-by: Giuseppe De Marco --- docs/en/pid-eaa-issuance.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index e35aa829f..8affac4ac 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -90,7 +90,7 @@ The PID/(Q)EAA Provider MUST use *OAuth 2.0 Authorization Server* based on :rfc: * **Wallet Initiated Flow**: The request from the Wallet Instance is sent to the PID/(Q)EAA Provider without any input from the latter. * **Same-device Issuance flow**: The User receives the Credential on the same device that initiated the flow. * **Immediate Issuance flow**: The PID/(Q)EAA Provider issues the Credential directly in response to the Credential Request. - * **Deferred Issuance flow**: The PID/(Q)EAA Provider requires time to issue the requested Digital Credential and needs the Wallet to come back to retrieve it. + * **Deferred Issuance flow**: The PID/(Q)EAA Provider may require time to issue the requested Digital Credential, due to the Authentic Sources data provisioning rules, and allows the Wallet to retrieve the requested Credential in the future. .. _fig_Low-Level-Flow-ITWallet-PID-QEAA-Issuance: From 91e812ab03a0454e8dc18f472b21b9e6455c2a69 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:11:33 +0200 Subject: [PATCH 15/21] Update docs/en/pid-eaa-issuance.rst Co-authored-by: Giuseppe De Marco --- docs/en/pid-eaa-issuance.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index 8affac4ac..fe0f9feba 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -347,7 +347,7 @@ If the checks defined above are successful the Wallet Instance proceeds with the .. note:: - If the issuance of the requested credential cannot be issued immediately and it requires more time to be issued, then the PID/(Q)EAA Provider MAY support the *Deferred Flow* (step 24) as specified in Section :ref:`Deferred Flow`. + If the issuance of the requested Credential cannot be issued immediately and it requires more time to be issued, then the PID/(Q)EAA Provider MAY support the *Deferred Flow* (step 24) as specified in Section :ref:`Deferred Flow`. **Steps 22 (Notification Request)**: According to Section 10.1 of [`OpenID4VCI`_], the Wallet sends an HTTP POST request to the Notification Endpoint using the *application/json* media type as in the following non-normative example. From 0283b67b309f5823a7dd6e6ce81e8155d0d05613 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:11:42 +0200 Subject: [PATCH 16/21] Update docs/en/pid-eaa-issuance.rst Co-authored-by: Giuseppe De Marco --- docs/en/pid-eaa-issuance.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index fe0f9feba..968d4b5e2 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -974,7 +974,7 @@ The Credential Response contains the following parameters: - CONDITIONAL. REQUIRED if ``credential`` is not present. The amount of time (in seconds) required before making a new Credential Request. - This Specification * - **c_nonce** - - REQUIRED. JSON string containing a ``nonce`` value to be used to create a *proof of possession* of the key material when requesting a further Credential or for the renewal of a credential. + - REQUIRED. JSON string containing a ``nonce`` value to be used to create a *proof of possession* of the key material when requesting a further Credential or for the renewal of a Credential. - Section 7.3 of [`OpenID4VCI`_]. * - **c_nonce_expires_in** - REQUIRED. JSON integer corresponding to the ``c_nonce`` lifetime in seconds. From 33b3c65b1fac63a649ef08effd7b5fc68179617d Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:12:01 +0200 Subject: [PATCH 17/21] Update docs/en/pid-eaa-issuance.rst Co-authored-by: Giuseppe De Marco --- docs/en/pid-eaa-issuance.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index 968d4b5e2..2e87fa6b3 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -980,7 +980,7 @@ The Credential Response contains the following parameters: - REQUIRED. JSON integer corresponding to the ``c_nonce`` lifetime in seconds. - Section 7.3 of [`OpenID4VCI`_]. * - **notification_id** - - OPTIONAL. String identifying an issued Credential that the Wallet includes in the Notification Request as defined in Section :ref:`Notification Request`. It MUST NOT be present if credential parameter is not present + - OPTIONAL. String identifying an issued Credential that the Wallet includes in the Notification Request as defined in Section :ref:`Notification Request`. It MUST NOT be present if the ``credential`` parameter is not present - Section 7.3 of [`OpenID4VCI`_]. From a7407c0e13608e6c5d4bebf7ccd67a7d27ad27a9 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:12:11 +0200 Subject: [PATCH 18/21] Update docs/en/pid-eaa-issuance.rst Co-authored-by: Giuseppe De Marco --- docs/en/pid-eaa-issuance.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index 2e87fa6b3..0c7022167 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -1001,7 +1001,7 @@ If the Credential Request is invalid, the PID/(Q)EAA Provider MUST return an err Notification endpoint --------------------- -The Notification Endpoint is used by the Wallet to notify the PID/(Q)EAA Provider of certain events for issued Credentials, such as if the Credential was successfully stored in the Wallet Instance or in case of unsuccessful Credential issuance caused by a user action. +The Notification Endpoint is used by the Wallet to notify the PID/(Q)EAA Provider of certain events for issued Credentials, such as if the Credential was successfully stored in the Wallet Instance or in case of unsuccessful Credential issuance caused by a User action. This endpoint MUST be a protected endpoint and a valid DPoP Access Token MUST be used. TLS is REQUIRED according to Section 10 of [`OpenID4VCI`_]. From 8d60e12c8de0b5f0fea35e54b8484d1182bc36e7 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:12:38 +0200 Subject: [PATCH 19/21] Update docs/en/pid-eaa-issuance.rst Co-authored-by: Giuseppe De Marco --- docs/en/pid-eaa-issuance.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index 0c7022167..9504a064f 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -1003,7 +1003,7 @@ Notification endpoint The Notification Endpoint is used by the Wallet to notify the PID/(Q)EAA Provider of certain events for issued Credentials, such as if the Credential was successfully stored in the Wallet Instance or in case of unsuccessful Credential issuance caused by a User action. -This endpoint MUST be a protected endpoint and a valid DPoP Access Token MUST be used. TLS is REQUIRED according to Section 10 of [`OpenID4VCI`_]. +This endpoint MUST be protected using a DPoP Access Token. TLS for the confidentiality of the HTTP transport is REQUIRED according to Section 10 of [`OpenID4VCI`_]. Notification Request From bfdb38c474cc3c24c93d863e0a610a6292241657 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:47:39 +0200 Subject: [PATCH 20/21] Update docs/en/authentic-sources.rst Co-authored-by: Giuseppe De Marco --- docs/en/authentic-sources.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index 3851734d3..0e8e14aea 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -8,9 +8,9 @@ Authentic Sources are responsible for the authenticity of the User's attributes - The Authentic Source MUST provide an e-service registered within the PDND catalogue which the PID/(Q)EAA Provider, as the recipient, MUST use to request the User's attributes. - In case of unavailability of the User's attributes, the Authentic Source MUST provide a response to the PID/(Q)EAA Provider with an estimation time when a new request can be sent. - - The PID/(Q)EAA Provider MUST provide to the Authentic Source an evidence that + - The PID/(Q)EAA Provider MUST provide to the Authentic Source an evidence that: - - the request for Users attributes is related to data about themselves. + - the request for Users attributes is related to data about themselves; - the request for User attributes comes from a valid Wallet Instance. - The PID/(Q)EAA Provider MUST make available to the Authentic Source an e-service for notifications on attributes availability and validity status (revocation or updates). The Authentic Source MUST use this e-service to notify to the PID/(Q)EAA Provider the notifications on the availability of the User's attributes as well as those relating to the attributes updates. From 1d409283879c041adb0d564e4f4b9f530a1d57a6 Mon Sep 17 00:00:00 2001 From: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:51:14 +0200 Subject: [PATCH 21/21] Update docs/en/authentic-sources.rst --- docs/en/authentic-sources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst index 0e8e14aea..398fde02b 100644 --- a/docs/en/authentic-sources.rst +++ b/docs/en/authentic-sources.rst @@ -26,7 +26,7 @@ The following security patterns and profiles are applicable: - **[REST_JWS_2021_POP]** JWS POP Voucher Issuing Profile (*Annex 3 - Standards and technical details used for Voucher Authorization* [`PDND`_]): REQUIRED. It adds a proof of possession on the Voucher. The client using the Voucher to access an e-service MUST demonstrate the proof of possession of the private key whose public is attested on the Voucher. - - **[ID_AUTH_REST_02]** Client Authentication with X.509 certificate with uniqueness of the token/message (*Annex 2 - Security Pattern *[`MODI`_]): REQUIRED. It guarantees trust between the Authentic Source and the PID/(Q)EAA Provider and provides a mitigation against replay attacks. + - **[ID_AUTH_REST_02]** Client Authentication with X.509 certificate with uniqueness of the token/message (*Annex 2 - Security Pattern* [`MODI`_]): REQUIRED. It guarantees trust between the Authentic Source and the PID/(Q)EAA Provider and provides a mitigation against replay attacks. - **[INTEGRITY_REST_01]** REST message payload integrity (*Annex 2 - Security Pattern* [`MODI`_]): REQUIRED. It adds message payload integrity of the HTTP POST request.