From 0a5974ed3296068a7d6414920af33a3fc04a20f4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 16:55:13 +0000 Subject: [PATCH] Deploy to GitHub pages --- .../en/.doctrees/environment.pickle | Bin 77728 -> 77728 bytes .../.doctrees/relying-party-solution.doctree | Bin 163250 -> 163022 bytes .../_images/cross_device_auth_seq_diagram.svg | 2 +- .../en/_images/verifier_qr_code.svg | 47 ++++- .../_sources/relying-party-solution.rst.txt | 186 ++++++++--------- .../en/relying-party-solution.html | 189 ++++++++---------- versione-corrente/en/searchindex.js | 2 +- .../it/.doctrees/environment.pickle | Bin 57397 -> 57397 bytes 8 files changed, 213 insertions(+), 213 deletions(-) diff --git a/versione-corrente/en/.doctrees/environment.pickle b/versione-corrente/en/.doctrees/environment.pickle index 98388a269dff191c2899e34c886f41c6578491b7..5ad9aaad3273ddc0985937ec53f9afe5bf0daeb0 100644 GIT binary patch delta 3861 zcma)9e^k^}7Uu$nU@BrtY9Kh{Aj+U9;IEK@Qpiz3^GCX?HZT+M6&RfvV#`u9*PNUb z_d?&cwxVp+6!FK?9Zh$!wbaypxp~x3Aym*@kD8vfTu;0AzNh1vb2@wW55D*F`Mmdi z@7;Uf_s*rRIlQhpd~0tbZl4vG=8LkGl{j6co@dM5HNL1~XNAXAT2$$A)c88v9nX|j zIP7MR!^MLgJg!Q&2h)r_^l}qCoal?0UuriyY&Nsq=CPT}opwhVEivEisI)sPo-cRf zYGa?=u2r_OGKa_Pc9vCoN}UxozUX_emAc)Pwu)lfD%$NXHJ8%XPJ3msnic8x*edKc zm)$M8_YV(Sd^$8FBroSw`t?!kAIQ=!1lWd^ZQ7Xt`{*5yb~eE3JG!;=0k*kjm)06! zJ7RZg?E&`b&%3pA0e0ZrI_>)a`zm3L)-okPkKJ6VT@0{qvyN$(0_^zkGOanlPA@v5 zH3e8}MuFBAU>9a5;l%-?BiOCgH3P72NGhfcoDf+pT?DP}$t?o4|$f2_$rg!F@$J=~5FBZ{#h!-0E-6{9vHm)_kx;ybv238VYr#*t6sfkzE! z9yJ$FjWOVsQS)&!+3@M3@Ws&<>^s_k&7+GkYLo%<<|X3tM=kj3NCO^T@d$RvvS2Q~ z+k!^)Wm$MfTJdUD5$>h8JYyXAWVQkCjG2M+ECzf+B;$M8795*pz^#XqagfD=K3a8^ zr9$3l%@-CDB2%vYnGvU2+s=qntTi&?)M`f=aZ0sQj5w8A8zat_c7qY;Nec<52WLm? z%!sq1^=8D`(2^K&7PRzm13fwTS`LdGZfz2wN?*9gS?sQPsb+w7TD+Sx5HNeK5&xNc z0Qa19Qs@#e=ka`8a-ka*uI(;1KmG_1iNPhWnFNf>R^;~e1mVidQlx5qylBoZROHr% zG~pUQNs$#B2Md@mPLZzlNn**w34p&@k%@(6BPct4ab`h2rh1L|S-}A`Y>Pw7jwzI_ zAvkbyK3>~q6mLw<0Rr9dKh6%~%9K<|M9S1sz@?j=l+dL(r@<&TPVWi$?v@yFY=&I| z%%9l;=SA|YkHWBanv=3^K>M70+&4qH_4S-?KqLkaUyc<~Pn#qWxwgd${G-UNz*F`G z3N$$uDKM|(M+KavbcmyqGBH|=q+3*q?-v-wxAWov+QpA$FSGGfyujwFb0wRF3l_1t z?b^g*UluQJy`0H|sjs}mrheHPHe;5@h2r+doOG-0XvtH4Pw`SZEqO6w$!iV+-J=Z>#8Y*ta1wb|AA6?QghM=QifaS8O8jXcp%VCyjT0Y z0?GOs1&+MAQh}1U9#>%R+Y~*X-1yE53XFemg#zd5$o&@lVp4{T=+&%#cJOih0Dr!oClJ3mhnTyfRE_pJpa{=&neKQ-UE1S zwv#^K{@Al2ABWgfK$bSp(nD-9V(S)4`FGpZ)x0w%7B_6m$GW3(7CyB70DgDXNuT=y zY`A6=XGL$ovo~Wz)K0nt1mx$j=`U8LcHC8^z?$83Yj|Gbo`niD?47AVufMHU;N!+x z1#F)zl>keAh!qd+Kcdu2pN>&rHO4?oQl(^zQDX zzbsL2?D*<61q#1;KUAJ4?AzCs^1*SnsmMI>d%y+glx6J6Q~9{6Rz;}s6h&xNt#Yw@ z6IB2vTmhDy9xI7xIz#CtRirh$6xi8vLxGQ5=PEGh{4@z_3!t~Czc5OvKehd$K*viH z6)5?EyyLYFU%sip*H@xKab+PDhi$zu`r5nLXR12cv1|0z_n8_aZeK4_pyI}S1+Lws z<#?#zUvvW)oVZ09U||2bLV@$Q>5Qb{wVRRR$2;T;4?pn>ZA)Nh0nmYY_@}l${%-&d zOXlAk23v?G9plg4kb!SYr_TB#7<5$41EQKf6aI zI~c@14`N5|F~6}h+yOZ4PwWZ}p>f<3&aRQ6B*UR3!@iMe)tlp?FwCK~`?F)9D5@j> zY?A&x>%H~PaS-MI;t^V{C;xWR00))~|7wzH=4pTG$Um3F+VofY!h~tux_M;+y>e5p z+|w(!^vdLUW$wH(bzYe{uS}d*F7K7Adu7(VGHG6|&2LPAL*$cwB@y!Af}YV2a^Q?! z)eo}atnTjzPeH35ZGcJ8uFo~VTr!OY_#>H_MyMlm+Xz);T>atM2e?b{nQ-#*Bt60e zS#VAtYl56`zCwDL33};kO)v~v^b;nq!bRPXL|b0c=OsZZH0y6A!4zoHuOz{5p-mq@ z0A3u+9&5gbLqe9 ztAs`tWY@G$3Hw=)&C{n!ILLzRp$;kG2n({6I;w=PSdb0X*AIv2D+ZF2P5QclFpCTf zf^ihY{6Uaj%t53}^gnN_n!-NN%zIZ=v0uNRYAkR+n+L&2eN_sW2FoK$S7jS1qagi~ z4WEpX>?-*<)xJ3VCM7o1qhYuir9*iLPgS zDkM^5Evb+ZIsNYJCVf#VJeHc$i!zbSk2rqx=0^fQ2J^$fkD>f9@gqaOnhM+g3&^XJ ACjbBd delta 3889 zcma)9dvudk67RId(jriz@~E`5B((IALTd{xSejO#gbC@dlp z%tCaEpNqR%1yOm!m5nU2;878wD!RU~KnenaEQcZ-QP$(`%)Js%cK7VrfA0PLe)l~y z-(=DrjBXD`Z%Z)YBc?%<;$4n;&N`c?-q~z!tap3dZN9h`x1-hWY<{qbNUYmqYqr~5 zcEWw<+Zr1k9<$ro*vboNs;%(>r>ovGr^$^cOt)nAsBgAA7PR^L)Y|GAT3gI6huhjZg;)8zS-k)+FR@7THHP(snFNk?wDQQ?68|X4i_I6SLdWj^|h@YT4ZRcx0@X{ zo7ryj*vw5%yQ8tq*Tds#b$i53!=j@Wbwx%*l$9LGdpwx_P@eX6h-G}YK>H@dGXHr* zI}>8rQ`cxGLu|yJ1=`sV%m3^}?L>%;pLM7=G5Ow&B>7Re?DfS+Rckv~Y!= z7q0LV!xesJxWZ2jSNOTCn9YT_-)zLLj7)qz%M7D&ggI4rn8ASavWn;mY>DutYzYQN#OQm*;KH#MtR82?;Mh8xP-Mii zh7??Oy9MLM81dlp!Puk7g27@kCYsP!WPziYJa#BvEULvJw1a1y1AR2}r*YHp2<PH?+KHBem=Vt%OB3xmH1_)feq? z*16jrX&bI}iRVi)0E^d}@b9Jj@i)tzWV&Q58DEasUX$27elTG3iUI)>iy0X3+NEUS zDl1ZC{wql$SYD;b)mL+bYjTAm%QuV=FlC}5eK)0v#dl5t{8Af*RgDGYl_5C2vK+TH znDE`o{rJ_zM6|qKLtYw*8P(;urQ0N)sV)ILe#P)~OSHI9lP$3@-#rKLllz?H$0az@ z)(@-J-Xu2M(;tW!#3$425@7lCE;uRDXS^1LOEx>n(MGh-EXSE!Oycm&et^$!HQ>SX z14P{Ysgj6N+ad-2R_j*aUi(}HIvtNH(D1-_3OMWQ0q3HV0;e8Vu2z@$v>_3Q7(`T4 zivo`~(=<|cv^=B)-`pkzdb!sq5b*Sll#4!}H%Tcu3tST5=kwylyAPgJ>aK?i6^MSM zR)GbN+7vjy=z;{eXK8P7^>?F`TKrg}0(+J&R-kg(jgi<Z#^af&i;0wxbf{nNN_lpd&2;N|z#ruy_4 z7%6HGjZ^aWj$ck6^C5jVyi|Pjqym*6zZ5Bz$WK=)<;Bm`p(6i_Wq>>GaLROc*O79x zlqt*XJwleTlo@dGid1n^C*8(UmMfMXogh`wd2GA_IYA0ynkRO4T~^>PCub>;d1|Tz zt1BTvY&tzgsXv_gS%IGC?o{A`Z>tqJc>an4hcCoM;#WJIlvopSc6T|pcc@!^(oLU# zdxt?>yF?!cgXYWh2{P!uLfiR2yIE9!PtIoLi>nVSVE?gMfm7G$jx>bbS7OC?Khaxw z-lU)DSOPmMfiBF$Kb*NW@G-za$pV|Bpid<0fe(6s+A=UB2L7SuQo;+YjD=c|zW`Q{ z>E9Y7b3ZXo{MIO$^{L~OZ|y1bz11L-JG>CRr@hm+6T2u+LlN5-#-8{`kKJlwDC3}b;XwkwS7 z4r6=5*xoSqRv3HxIxCRJzk8iZ_Ffo!Ka3r^&H|?1@Do5+Af+#CiA>}=@xC@`O6u5@ z)bZP>JF5qipeo9tod^^gpf;{2|8$bx$$Em`I}zdn9}K45`t$E64X|OU<6lnd&hfNA z_T-;TVnO|}Auwesmvdg}K(9R1E6?=GBfZjjUgU%8qxu)AV1-kurVZTQo>d#=uf7@5PI^)bQne5 z$#h6tB=>n;%?j`=St`AugxxI2is?-y>}5d~PWzPbHVd+TdPfQGu^`K+14=l=f~=-G zl<*M?vZgvbFhXCRL61DGug`!P)IlapBqNq*LS7vkkz(k72CJIFZ=jjiBUQ2g9-e9} z6rRCMD1;<^RTc~zAuC8}4n9&nN?udCMmkKEmi!jKFA*U-DVqE{Sgub0zgO$WvcMFZ zN3|#w@7f7H&J4HpEx1nQ-Whtl83yrxk6R3dVI$@#&iQCD57J*YLt+ej#_vnPhqH(3 z=grUyI`yk&NTrxe%7zp&rzIQmW2gVJ!)g7|Y`7yke-J$`mm4EDiQFV}lf}&lZqm6) M;3ieSm<`+i1=72tlK=n! diff --git a/versione-corrente/en/.doctrees/relying-party-solution.doctree b/versione-corrente/en/.doctrees/relying-party-solution.doctree index d9a6e207c6530885f822be61b8d18c4ac3188f1c..fff15829a7f0bb78daad709e480bbfaff9e95818 100644 GIT binary patch delta 29925 zcmeHwcYIXE`ZqJAZ6LiTB-s>NAdp@Ffi%*4Aqhg*B%5S6Ws~e~nk85PMFj^OyX4wM z1w@V4j{SOV*bziguU!z^1gd{AI|S^cBX?4L2ayWDlol(>msKOz)U$ zd>CxgF~2y}+N?IyS%ng2bBn%5*KZ(WNBq5e`%MD|Xcq68+Nu(A&vgaC+{OUz4|B}0 z8!duiB2TXHbe;t!^dMV{f&w<@>U;G)t%ja(*;?^#g_$eO%l^hLv1iQs=Y+%uIZ8{K&%vi%>4`#?8orTf8e*%VfDTY~r(=Sf{yY zLG~F=B&s=@Y{+!QOPt8#Sz6!jxVW5tliBQ`XKUG+zFkv2Dj@61T}WV#Cs|pT0ON%r zXp<3~DG+QeD}^*?;+>C1Vw$Xs~q9$_nI9+AI729C;_%TBSjk%Z7H2k+qJVnXT_K4Qh2-v%b%&2L#$y zgRZ?_*Uj8fXVIFi-QD1*BN7rr4~#VC7N#Dvwpni()a!e+x~?wnyM~?tQ`Z2D%wAo; z#h^DYlAU;JC1w8&Ew-+{-qyg`yn(M(&Ba~LMdbalA{Bg59Dp_Jy*^5Mjmu7*l|WnNBMdE4sN;_lj2$@)Y?!bm|*MaxJ> z@o05jUQ>OA*;JgL9G@^`87OHmmsvZK@=PtQ4aLRD#g>Hp%2j1)hMelO+6>F;#+>v# zV@+XFVSDk=Ktjr}KD#w5tspV%B^>h6Nk#-@hO)yX9}*0j`wl;+m5)m5#9Nu>?l#*F&T z1XF!Oab+#&>>f%q4d%5B)uonX4|SzvWH(sLQ~Of-SEVHu_T?p4CG=P44HowFmS)w( z_v+GX+WSUYYSViS3EgRVjl<1VnHhD7-Ny34q%>n)YHoU0%1~R^>w|aC2g$Lsh2 z+w*dBv$_)usm<-?=AyLLNv}a)QQn)>T-Vv3mfPQ-HBeq^9!+m3 z>rTluRrZu8#up@(wAEDV2a1zNEJ=NafrR#|_=HYter--(Nn3rkuDCkBtvuUYy{e|r zlwDF)F;Ll8mzG(To79+IXELoSFVfZ3wj_@X=dCg%qz^Z(vesEUOm+3G)*O9OZ-vnW zZrPlaU79|aUeuOWQ*G|6${o$fif^i`>#8+cz@X;JgrY7(R!w46TW4->U1oNA_E5H| zqN8c3W+*M*WNvD!%WTiFR1Y;+Q_}~svdW9Ht;VkQ?A3J@mbQk%`oZkg!>QSA`NItIcLZLeEI*U`NkDe`@PcW|O|Gq{&I&dHJH zhS|z&?U>zB3Ssgtap#0xJ`TuL6^wu|RhsbDjh1DU; zA)RRVAkvOD)xfH`Rd3N5x?r8urq%0OI<#hszL%|=9G0YdZEruUT1-~6w%5>NvBH{L z2meo?VmZDZl4!`kZJF{EdTRcAifqa9Gjg&#b0Kf2SiF)YjpuqDhWP>R9psA|zX_ z7#!_POm{@$Siz(PrbOoyP#6w>#b|7NB0KLz{z(qB_+cT~ zV`f}jA}kZNadAm;aZm^FpXJQ&$ZHUkXkQ@LbH%|mFz4}QBVMSrKdf;k+d2b6K#Gku z$^O*HSuqf0os;043ZN?)Xt}XvT%=K8+IPn~Jqp+ex6I8Qnk{bn?%oca*J`-!CpMS+qYze5499 zxPlqr!FCeW>W7~Y4S$65Lv=yb@JB?$f!)^d6nn!DoSv1WbOzy%g@HgAGf+A-rc2q;h|aA(rFtG{CW5!&uv~jjp({Xts?_e{id|p1E;fD zSZG{anlM(n_{b0+nZk7B=FU(Q3ku?bv@Vmmik58c3=9Tdo59lU21`2~BRQkr%^Nxa zW!RYtPRA4s*lgM|?Tn3#5o=wT)m<{d6yYwc)*<_4D911SGJIxzEt)osm!kAqlDItp zEg^~Rsm^>YPJ)cH$=0rNpUNt2j;R%bnQpktq-$NIC7-wIf~xebhJJmEMO$KO(Xlds zc3yHq()=s8&q9M_cUvhMWk6;O%JzDG645aeL`zug%^4)m>xYaOovHMS+k zPJu#EI2?50Ri7nb2@AJ`99BY^iB2_=NYP+u$YX$?RXN!hNldWgdV-tz5f`FsO>kMt zoLgn)2NY(G*tgg86heo9gFC3pG9Z6fh2??MVp%>C8uFVGiz15s&awO=u$%$HPpYu| zsKOF%_C+|%mFQ9vT$TfEuq$&9*(g7r4v3Qr1XHq27Z`emtHLshz_`Mdms*#C3NXzI zP?5n^$R3yqd{7P*1D_nU-i6kX1WPKe=TvS|&`%}XEHS4DbKwzyLyB{WQlLwONXO!S zVjAf=JCyu-b}$}wrF)%GTt3(780XG{yXI!&R+!;!^=sBVMc~7UipaN32#YwiFmmGj zAYbk-sdjg{`H!*QbCJZFW@mjsurhnFQm#uDSae8bQLDnD;m-A&U`&&3UH;^Qb2Vh- zEI$~;0pzZs40866H~;&Cb3fBCpPmOO&zXcW8@*1x87jhunU_TSz6at#=j(E_e_bR= z`4+$K$_H0AJbqQxeb&=-pNA*dS&FrZ8LYdUSo9>*kT4K0x)J+=t>f4)8CWsXR zb3tGl7btt~G^Xqno=diG3B_yN$et~MXf1<>8{GI%$pcY!Ds0s%Y!`BDZW}YQU^9o+ z?{(UOnwko2HKg65e!aODO0s%wDGS-rB1Sj$n#`8y`L@~ACMoAXmSmfE zhi#@<1^5S4rl>xRDFOl^NlOreHc3v}lE526LfLIwk0vPs?+wgk`PWS99qjHT-oZrM zWhnyZ?*BlRA|1p@im*Ll&DueOqj|%-TY;*~)fm{_anr1D+_tzg-rqrtT9;f1e-bJ$Ylxcwyyqv zs%EBQo;_mog92#zA(bDH)A#||aD@{}Cg_5IkZBtGtdf*$kAj%=T@r`?Ek;TqX!u2C z+mlM$;*~Yz!^&Cl@=hA;g>vIqdt2Eamce3%BonG*rXHJ_1jnL3!eR4#*j>9s1c4&J z6Q*HNMGgWd|455dc#BsmTdbIEvU!V_Yj|uZ1`SKO26-CI05A>S!{yZxuJ(|AG36_M~<8e z!Dsb-3_j1Mjj$ zI}$a85MEOVQPdP36z(k^FPuUvr%_F44z1}zzQlc(7wu?5Uh=nKyb9PMnO_6! zIhD1dut0gG03J2^()v6Js02FsYe(U~_nwymn8-a=x8x?J>YO?i$v@ zfd_cp2D`+3u)%cLV;1|$w&469DoXw1ifj&iv9RS@X!->zTdwD}lmlqE_$CF=2Q_j4 z)kpz!pN8(8kNof^4c)&8`N^SlyXLAiJPVHKc)vcoNFIEXg&SB|^UZTPSjlxnu$QfR zXfqENSNeZ1&Sr#t!U#=ZgzXxVa`hAVX?7=q_+7Kie?Rzu{a}ku&}=ITB#~b@li#li z@zQJ8OA)il+HY7-La$9FCvGSwH(pzZBFQh;gwt={MKjUc#Ob;U{2>z@?Q?_)4K%*Z z{R>tl3xI0@S$VxXkQHAaA@MIKKV9z&e^+=5sPlm3JI3iuKD}WLdHROu(cAkjy>UMB znLYys4s2_Ub?hxhOfY%&rfB@OJ72Bn?U++{?!jR*$P4-+95aI#F2l&$u`TQ#RNulo zIHj1~Ac#E$y5u0Xkcg!Zwmia~U!RSzE(Ml5|%&cTB4S}K! zE}cR4w3XmmZU*;KWS49C1*ef_PuM_S5v{@PTwah(9#W)?K*A2>^xK*dP$v$d zK-lQlgU>@L&;qB{68B}15AV{P;_1qbGw>+0T7rv3NPA%4KCf$`5w_jU?HXRd4=9*S z1x1U&Vo%;b>(q|}?1zc2=i0nS96V&7{(%C7@8TVp+7Z(cYdiowxY?-aN8_7t=bTBp z^K6?PMpv-_+Ny7XHC!u?4`2wk+rZKhITmQMb!L59igrNPWrd_xWiqjuutZ+;{8@29 zQ^+Hi-M)y`Ai_5|G+Q|^2x)pK)?pZ2`p{g5JBoqvM;S8k3;&T_&lh(6HZN>n;qE+y z56>W5_k?JUFzV&X_5JhCNVT>X;Ji$sG^3khn)8eYNwX1soKjG3hTsd;vS(WjQ6Dn{UABalKyFFEjJA8C48 zgMo()@NGf~oaPH0V+;NiZJ7y5$~-ZMi(90vAvZlAPJVv+d?ypAXGi){eJ9e%&g`ic zV2?N!hK6j-am9Tz$+2fPv5%o=SE7sM``SJb&!d{VR<^Yw9056?C40u5U^_y0R}4QM zXq?H82a*e)+u(GY1dfC~pMZABLh&7-<@p}=0o=~)tm-Xl?#O)|FIW-&`%Ln|-&Ua4 zY>Y3@B*iZ_V)(fI#ccGE@_yjoA8>nF?us}5o`Qa0Pi0H9C%hSjV3L zVJNraLB<=+m$rTu565wQ3%UHQt@t9|Zs%Kp*FtW3dI8z+b|${sgFNzfCVA-DSYD^S z9Ufj~Gb|$H#7j|R@SS43+k-swPLkVRkj;l0j3oRJS2|Z3O6(Eu;2HK6>r%U;@8unL z2gtw2QNHuRc>JyhNr8{|I7XK{f$VKZvQG|PfRB3+!+X{Ega>*2y(E0ngO9yF1tPw26ybdM01792UlA3MT|g4zDSHt#_UNlg#Q1)Y3$ud7gN3Gj zH@x4EP`b<#eh+^#xzk)r)_tIL=+}!su%gND_t>La9*B=z>NxSb8+8LZc3QmGvVF?w zcef2GnR)anTw;>0@vLcke5);bOL7Pk3)DbEAv7XrD*aMmjiSU+ZUS z(=~V5gx&mQI=YVulcuh_Jc;X9*I@Wy$Q}pw+dTKZ`&B(cFWQhj$?vkYp_??HS-?5{ ziF+xK-;{wkia^mN3($_hpRk^|@5Crh_9DsOEkR2e1CQ)* z|;f2hXbuc$H9c`?IF#~MTlV%b!WMG0aO?o*T?_!4{d4>5Su zi=6#KBs$O5jB~vBivJa8z=)S}#Xl$@iOn%liMYv&S0cu2%r^+;SAqH3DVWFZj3Na; zMc^mA=m8%Tj`rJ_9}~>40rSJ0SuPd~dMPV}7XC~wWk`l{C}q&TM4TCV0uW2PB-1U! zz4j>ey-nwFq4NOf{8|P03uSA`4JV7-yu78Lc>H7v4)SJ^I6?}F?9qf_;^ob!yw^eW zOtSYU+wlvv6Dg{C0{a-cY#b1-ibw8|_ zZZvt*{TftGF8eKj;k)IxX!gP8@HYTsDr=D3Jzwzdk++pT6^4^*Ikayv&J25zHBD?) zPuF#|+kw6$8ubFmOLTq{BtNS()l*Y+U1Dr`@=nLV3FnAJOlCf>y3T zuG8y)5rT{u(c{f7Xg$Ikff$ym?*j3KQxnr7HUl+1%_#$t3qlCV}r@ zl2DqjK^b_zfcBWmF0HXlBJaJ4F0EE(>kJBon3=L?%PK!tsjR~P6xzO5X%oEwEW8(P z6uoc|+I^j>7j!<#;Pa^nMN)OG&Wlyo7RaTwYOhI4Yezg;X^p0Opgx@L%VsFN!k4>6 zx-a$fM9bM-7+EogLAgA&LBIUzNu$x1_ouRMt(-Jek0(wV(&N)i8uTSEs19G?OTY3$ zA^0NR4s;&%aX~!Wa{dU~a4!EUd)Zk6m2%#=*_WTKyH#+H*||Rk?i;7zmM4yQ~tjh~;CNzt$Tp>7jKvt}SU{qggo`2lFLOk-= zgRhteSl5};<1MLv#wyDrn(cn1bi-B-Q2%M_y z7kEAcJSL7u?yYZlZ^@I$m%_BRNkkWlGDBYkXmXtEuyotw+)G073w}J#eGampRkigg zZW<}h(Y7#j8~U8Fi1oo2K>v?Z(BBvZ=HE37g=&7EU>l!k6dI5|aXR>2vXh^`=tcO> zdvQ-R($E{CQ4)^!=Mf;n-`15rF{l*-VRrNSI zR{JZBWwjftK`5^E=f?U96jb>u9ito=ZIc3BrbX{zE6~E6@HNo(pMn+)m8jVQ?5fOz zf{ko*!WL*Q%WZZ_c7g8>cG)f9?Q*aS5DvzGUAFjhyL!V<74SRjUrGEU;=edR~JA99vaB$KEO&AX*g|AbK0V+eQVR9l$yo zMbQ)Cuy~ac06r*!nA8brBM#s#JPxpaKLsopvB{e939ydk!$AIUo_$Izm$0=+*xO6xwEQgh*9%cRJ{-Uc z37-V8Lc(JFbpWpbhu{@U?@L^Kbn>kM@3OdLX=NJ15~ zClR@#Qxi4d1x!!GpRM(uL(1fLE z(Bb~>rDzF1McCm}|KAgtgN@vtX^tfvu?IF)@ut*Iw3rnR=(=U7ACGWT%r0HzV2VGK z?LHOOH<*if4!LP&_w;dr=JCR)i8=Rxxl|_P4Eu7%tQ)BXM2`kHqxz#A#X%N)X_b-PWdRVBjay2dm3}HVP zB|DW#iE#YBdbAGV9U;uxuBC;H{7Mxn6GtUSx-P*iM>-DR-9|LeX`BH#PEj=es{rr- zlahw+Q|aEV)J@-8gT~z6f?ME-hv)@oqBQ(I0}?IoS+Zx`5k08383oyCJ=Oy4aZW2& zdTq4I4UxA(gwyi#Jg=+TwfmIqVh8TRLivF^6i$5_r8y>q>grJpAFsFs(cKml#IkPL zw0@z|cx6ZLHlR$#nCMcQYk$Kg`NM1P{faa4ul!8Y^}b`4`=!L78KQ9Fex>%K=%3uJu<)Zpfa(XscyEDOST z-ZnQ(jeFVFk1N}=*VOkk@@zfP&2`gcJNypgM?-_{`)e4$Fa?o`?-EaanURX40D?*yT8;$twI?Q_m9 zf#-G!Pd&qPiwe(}5)Ue;m-L|Jq;99@OgOkL@9f*}da=8<1BlN{c57f_pHU$nJ00>& z{6&~3L3|}JekNgTWWqjCVLYnDNH6b2S0PubGonP-HH_G4mdayJshOup$NNw)ok3-xOmF&r>byipKEvrP8fzKe%E zd3Ed@A|F7N7s!|e$cYQ&;z0Tj3%VB%&7wQ3DB5iV5b%KVgcU7 z>_ia#@Itg_eDNr%$INGG^j35y%{(8O*thY$=c6w$`UlgWsM*K_9)$*wtdiLAe_e!J z(2SF;>FfnNmoTb1w1v~A%h25cZ9vBGK-MkWbIWXcbOV}A^Dajz z=q%1PU)s!N)V#-Cv?h2tN0H6Sawx}qnWL_#D^NKGojifPgkf%`S%WaA!*96-e9sMK z{9XBjgkR9lu0Tn0FFrcs9z}C@Z-Z&{KCVK}Q+CV1vg!J5a9&yJ{Q!EyHZVGS%8kxB zpHYF^9Zs*HD9ujuGDW%QZAY5rS3}3xg3AK136^`1>0%3uAd!g-Y2lsk>!Y` z4w^~Fu0%2NsIoOhnMQ$hZn{gE>2{skbU)MA&WEzR=MGfM?ErqifquOM`OR1uVfP95 zs}Lm6T(fM%MevyS?)h~0rH~qz?LYytgh*fe5NCAUoLoi@mm%jfiz0+MZ8Y4RwT?90 zoHiP6&UQ`{E_s>_i_!{m}@B? zkw-lNqKUSq&jrNM3E*WQ4RBDbR|tY4_wb2Nf} zeG|&Z@R_<3ijBWSQ1ecd5xZV(raRI76D9Xys9CPN6Fs1Q6rhD4-smz7n-$?EA(Ebb7aG7B zk@SbV(8ZX2--WjL7BYQ`7@QC}9(p%Q!Hj^%ODa&YEKVc!&TA3;h&g@zUetryc|-X6 zBH|hc^C;`FTP~+tccTc0>T1Cr)GEI?Fcm>JvN9c!6Kka%7EABcQ{Z(14X>3(?L}9+ zT?B3A!*Ksz2-KHx;BzEDX3w}EYvgn2iYfXcVGEyI9NRa(;Xd@qbad+!_)a}V-=@I# z+JmSSJzzIw>_ZN!{&W%HIpIiC6%nMzr!69U8p&TQ`@lT1@G*CZoN(DGp>A$|N2^c1RNjES!M8F94=R)SW!hKU!fs(M1f zV`#C{5ImrZhfo0B`WUQ=M(jWaBp^>Q*=7}xUL}z6`p1zkLRSeSPcv$wLehI$Bz!gX zke08e(8G2J4@wZ8VM6z*AnZ{>K$SFdKP-!i8juIQaX(ZJ_8fxUA&0vQVZP_qdX|ZM zLxph<$0!%)!4OCMGfVumj3JJ-BnhB&XP{kshCRaJNSB!QIA9$_ICIlo*^JF@#M~ z%E5i6(5W2U7e?{HeX*VYe2M>K#y`sW8L*-J)nI)UoaENP5j1s0G(Z`oCc0l`8#>w#MNJW%Y1I2@GulRX zy^qd8>x4e`oA9&O0AO`y{vGV-sPfq@H_)LYD4s8r?mdDw;;tB){sD{%OAH^tc_GaeAO`vpHcepM2iLRAETt`)4sqX=+qf5f!B1p$%+qTfJ3MNioKHR88Z0Ipv=zTXuaozzI^0#_VLOK0Mx4)@_8h|b{_%!z^HULH7h zmWS%6ENG+)PH>=I?Sj)CZe2C;)`|JJ%z+B;AGtAAaO+iY2NQ4wJ{NxTknNxR#Hi0w0j%c$$$B#=`PBQ98R9LP)B^LYPg%4x-;RXDW(0@eI z|1T!-kV^l%D*gHtd^Y~Kr2l6|{fkQfyIjAV+1HA1Qf7Y)GGy`NI`Z7{Rm`Mw$C?<( z?04b?vzf_fm;TDs$dd*H-aqZ_%VsN5VexX4@;6&mkHtB4<*6s>@o5Kxel{Nr?X!8t z)k3$$<3txc9k8!wf7|xb*9tVsB>AG*d@O7ftQRoyG^j65&Gqk09FA|DO~aSq5PZ8} zyIE*-Vj6dHUU>wqoy|s&yanILpG8YQ%_6m~2+I9(ty=m~8rg$+PIAvO9E#uK9YP}$ zunU51XGNP{Rkeu|f6a+qOI;YAFHS>^rqi)BoJh4v*cnfoqg?R6ssjI#XqetyGJcPePba*+Yc=;Uay8{0k|Kc?6yAtOk+&*V~O%`6|%p{ngUA=xc3Vb0(Dzv zh<}r$8-A*wi`})vjL%pFB|V?zb3o)97%pe9zn09Q`}1+o=r;JR9pmNf;s&oV8=cw3 z12$od?(EXXaP+WC0UX3K=CR94b~%GxUS_4o7uh8a3h~Cd>{8E?qFQ#ThANA(f?ZOX z!X&s@w`h9UZ>S9S>dpKgD7u@jF2JAGF>ISSuFb~S>Fn<{{K~*>=D;>{P@6cQ%^b{T z4rDV2v6%zd#FcO6iZ_AMaZ-pcN25!a_P1HXqd=%Jj9u#4rHWm6)7ifeB%02CBS|#f ziM5|Mo&9=%XgYiUSTvoTVKtV+%TdNkcDa~cHnGcWc$>#KmtF2-m-~H2;rcoI^GkNg zgyZzarR;JsyKG_?KRA1B3}Ba??D7|O31r7~gW08pUG(h2EzNe`jEmtAmobrD#@Xes z>=Mt8CM{+c-Vaf%GgvWhv(3~ z)p#-OEW;t1_gJ67Cej=lwH{~FSIh8x1n0{HO%>Q#tziyL(P2M&TLq3m@q#H%&Ey%zD&Hz4g>-u*j)t9Dt|Zri ze%3^K;_c}~FRH>3NGEvKIq-x};3=Y}Y8(Z7W?aXR1AW9K^k>!p{SHBYr2~EBB=m)~ zK)+ki-|axJorFHE4(R_T=$~_-kD7!&W;M`%Ea*RUppTwFKZkz38sgD!g8pX*`k2Y- z=h5j6I1)CfwpHUe6qk{ZwHTk?r$ZuH-@)H&1Rk}&XSsFrg?>dnCZxyv? z`~}Z1;NbbHvFy2Ma;6lND(I6G^euRTJ8=0Qw1E6_L0_VvXR#$= za`^%Dkyc?t{=}HrJqboW9-T}e+ikj0ibrN-@J)kbcfMelw7VA;`xdT($ zR7@v<2|LG89|-Ii$Eo_1ZZ%E>2`yWKBPE7eY6j2DNz~ldiL-E~#E|B|uw)X3E4pwh zu9g@o92k~P!f?-7(E8DCJO_76Tt)}3GbZ5zo2BE862pZK49h2BSZKm4@R-DKqnd$! zV47$uh@gISPA^Wuk4Rh(*|`o3;$Y7LwVK2Myn;sb;Yj?J#PGTU!yA(@^i>1Haf#vU zKfv%wKQL$(@IFT_^gy?W(j3v-lPGxJ4D>M)y;eg*0)vJy0a3p@0|rgA|dIJ5CRHh-&Y_B5rIz9NxHMAI|+eNK*a%#q83mh zE->mSZh(kU2Si03cV!qi98tz)gmD2C1r&KtRo&ZtZzlwtXMXSd;eGgU!@c(`|8wfp zsZ-1Cw@zyx|3&M((q+SqJDtzWMoY-K+3}hhW3Q>%Wb7p=b3&aOtrk)>=edBq$-047 zW3N$XZ8hpfp$H(0vWCz)^6#ukDgl#0fX>vZYce%A1AC`c*JSKBH5x5CLuZppn9gJ& z9r?lJ%0vF>=Kryr5OOekT|n>oQ2$<7G31$?zphv^4~%ba?-~H~;0i;hp?z?fv5DDd zZ8ceRjje`ms}Yo14Q-~*7I<#$(is{XyZXRxi?Ok<*JK^!hIjXx`VEbPy2h?fi>b-j zYp|N&e^b`Cx?Q=x)puxgMYaD;O{>?hT7T90)UhP zi;p^yPp1Zw*Z)0%oXEcnyEv0upGt_s&Y){zt5a*d`56rVO(==zYcL;!|0Xb_CbhZ@ zy-TjiolQQ<)hD~pV@+deGUjsCg3vWw1d_QNhJue$4ak5Ao*+aUlK5J`N zuW1=?W?epup#Ld0Plen3$j%bIOC)#=lb*_;n)_Is+FGn^{@i)c>#W8`D>qtnK%I54 z+o`b&2MNrxag0sjZ0hM58WoE{o1wo@o*jd6!kSH@UjF*0~Ov zk$B~WM%D8cZq*KHj2+#r28+qEo~*Y;k~jIbI55OhDbe2IjSN9dtN|nd2quUJM$M=y z^W1HLUe8-B7I(TT1;CdVU8-F|#;- zHMiK@0Do+D`Xs6q%DKo(_1JFuO)ArwL~i;OqnQ3^*<7@mTO0=#uTolk_RTyO<^~?P zF1srrT3vA4Oaw}X8AQV4OcuwD#NhlkD6J4K94Xfd4}GO)PmB1 z-0I@;RztC=s&&3ODaka@*4AcP+}S*}dVYIxaZi6+Wq*>%*s!3)oMp)?)~B^*XH`${ z%o?!v_p}U}QY$-_73LLmoAen)HSN~S(z=orS=P+-tdi*lv&r0_(b-UE&d;&b_2gwW z>dTBhnWl_}%*B?z+WL&7;=0=O)Y^g6=Bla1MYUa-MSUgHQkK?bnhg4)+#*v_T8_T9 zVp>OYduvr{eaS#>)7*iAk}{JyV_E&;>YDVt#rpdCn*7uvOG>VFsim}~rl4eT=irL` z+O)LF`lP8XmFZcn3-Yr}*1Y`1eTz*w>8;s4rUHHC(&?t^y4DtJ(tL|GrztJBYM|Ow zSJ=KF$6Pd6n9@*EZ5kZN?e!e-QEUkQCptvh%X@7rnXJbaCp{G8t zGP|>RV6ffXJZ)Y^Pj6DLrEGpx^@^tI_NsyO-kR2wt~Pyop|ROgKE0tbH@zh-CADhV z^vs^BdDWdAnZ?ER%QCFxZ58tt=XX>Tb{Usi%gPN4x=M_LgVWpFEBkAw_ScqW%}cLt zYpBjE>#fb7YOX5Cw$>Q>%hKBN3+K+Co0U=AQP#gWZ9$5qsdZjmMMak(rEo=2b+tLO zKM#tUDt%@1K>0vMMRk$coSUANzqG3~Evs*!xv)1sqj4~|sI{THCTHGYy|J;azB;w7 ze?f6h{j$2LxqYU#x#p6L6l2cZ3QKEQN&CExuDLnWI*h4lSw=%mO>OVo>}gFIOY>Xu zvg?ZK+m_a4H+T2-G<0+~^sTTg9n@QDmMtD!(Ai-sXe%qInBSV2JI|D3TH2LSSew$E zX{atJ%PXlWORF;GXImCjCCx80B&8NwJBrE|6gFf|&uVRGUSP;71>xOg>D`9K=IQgN zS@LpFiK=Y@3 zz%zeNdtO18j{g?!N>UlO{F)qJv@AsH0<@x}$3;!{vD1TOH78;>7jokJ6c;^6b0#ZW zV#i@d9%w!%L_4|AtTGf$=Uk3-IKhQJHxEUjOF3t};7kSLIL4{9agr)ajOMI>c!mwM znp5KDQ?k$yjees&PRI{Cxe)zzkmX!EDgM{AZwb6(6t~SRwI>1%gNcM8F;x1xivq?r1Q-MGq?^&QttP*KiR$epKzTP6kNr4<#O?SpK7o;aF+X6V>Nsj6C+(*+Yh)Hxx7 zkB^gJYNwGI?V5YI6Pf*k979l#?8MX&f;^OLtGd#0r^*i{q|$QUSm(XoBOT@~Y>6Z> zaT*!d975b$g75=eZ|J?UUdQ?8y?`)~JY@>PPjgCiFVn+<*L5a1YKzKIcPSmETP@pr z9!C-MW&oMlIU}vxFxcK@Xp(1+lJi6#I*;StvpMcChvoU6Y(VP_oh&%!e1dJ2{Cg~@ zh|c1S52~Db*I3S!^IV1qDt9+~P-WQL$kUDW3Zx+i`t>fCgR5NNf3|##fytidCilF6 z@FX`r^PB~w6BwzSfUz4(z!%D5(*>Af1(@k}Fr@-aA;?Wfc}gJJDj;`Q$0OV-fXo3P zMkSE!ivp4H7{I*HBVWBa3n;NB@pX0 zEVOXAhUcq1kQSn0DN)W>ff_|{p%jkul|O`Q<>|NWiKpEmmuXn^x#okgOfF0gzd+4c z;YYU`P_&mm)s|WGQz5kkYFwcVfQReJt^NLZ3CA0?ki!~fjf=g2<*;v;CgNUU+Cr|B zXPE*(v_NHEjmo?;+`Jc;|JxZP%QyeBPuAB7!wNynkjk){u?=G(g!N+J2;B)P<)TZk z7&&$cxZ6cb6oHOMR8Y66pw4AbZ(B9n))4XoMLWDL;1+|ZH&k%9T@2iG-uXgLDB-5t z8~FzT_d5Z%1ay3@f_qd2_i8d{)%A#7SJ>U@qvctu6nH(!ftzhv>gdJ5nt(yqj5QsJCNHd`a3b9#+U zY+>8bt}C)w`i#9gYj2;$YAX{tRor>0Y~$5BVOb^U98y|lx;V?CR!WxbR9dDOCw2+T zwsXs>K+7Xa%eE;kgY@i2wyg0Yhp+ObgJv|2-m)3Fc@@{rwOLhi+uA7g>v8IERl6UU((i|3Z#E)RY=tnlKi`9H69$@m~x_%Tvds0yxS$s=5UgOR; zU{*8WstuTWz@yrLxthGZ?P|Ktj9iFsULfA+PVzcR@!i}q_l?{D7y}x}yoVbU85PK2 za_G7c;H?Ja_XnbtWcc9;9DQVYV6dt^cp&)?Hjgx#ly$al+9wg z*4)(&n?P)fjV)~(tTSvA4?ZOsOPW0lUvwv-kIchwaG$2XDEl<(LaJFFTZ3$Hz>K<1bjc;m=q1v=(PG%xTmmlWg~4N7Cu{%YF+PB4a2cwr&dQnU4 z%kJD-PJaB;E9msDz4s;{--$rM7D%_Y?kqvzfz#yY`(p5E;kRblB`@Py9%NHzG0ykk zgW@c*?$1ML7V#a{N0>N~=q}Jlz5r`%TP`0H^8>w_etEzB=mSaio5j15HBuEbHraH% zi1{m$v~7!CaT3H2Ia^_soG)dmo3LFC_EhX~iCrAn6YcI|VawZ*ZKHM@ z8{u$(v;+YU`Z{6v8g}Ksk3153dV#P3ouNa0XRt#@vq1GTRC{7-+peVgQJyNc1 zk&H&aie})aJZR5lC>TG(V-Y{eOiFS61Hjwmp`3W^5c*WBj30RLRYrVB@V+N_uL9nK zoL3%Ic6hK+MJp}VJ<8wtNDGY;&?<_2k)M6Ral;W5MGB}6yL%E7jliCsysK!)k=MlX z+SQ=Nh26=c9QIU4T;f=S+^fg>OJ&?O%rEuQ4b8q{S42%NwK%BZoY za&~l1*l+h9TWlo{?jO(VN#|nFP9A$M0+$M)g*KooL2jNBXtok)%+0JPsSZ#`SyDH@ zx=7aty@`DHQCN7d5r!yZzc^4+Ee<8ct>P*x52`CUc(^pmD*FEtzi2v z>4`h99$SRB3V*HwyNybJW^;eaQE*Pggj8JI&hB_|p_Ph@4Ib3j1J<4gVTeh`e&JGy zVJ{`hTNBDz6#>0(*STF~2vbi|zB@#_3Ea!qlu7sQGQ5R>iP1_+%9}iQ9osz-;Z2@= zvVI*v+`u6oRrX<2Ouzjn3ZXk5MII#S(FyLh-t6$gYleMveU@A8`bQ86rO1zu?(+GN z0b!#7o9@6f$PVZ-n`9rdaC-pJZFh5c7KuONlE&S{x$Gmsu07ie5kBh4M%>txA0czE zH7oMB`Db`?)hKCvozM=&QAt9!5y}XtAy_p5=d7SE%7!vyS{j`9XoNM*CYFJ%&~0o6 zpO=HKOG07zG=~~N9H1%(t+k}*?(lJ~R%^FqMsl)k@LKnH{HTN1#gR`(Ze-Q_QM7wI za+!AVuGpZ!Nv<7Uj_O6J8v9f`6fvvbk0pnvy2V9#38&kOnavK>YF#g>c&0Iuk8Xx` z6FbwzrWE{8m!+`_4$823#Lj1QQwcfAYnMtSkN_G5BlPZSxq z&!0r?eb_$I+aEqb{_%FI>pe0@z%Jdh?;uSn*aDs51Ua?uGBl5wsFfD6O1+5Txk+|{ zTc4YOnjHvEJ$DTTI#%>;6@vA}iR120OiWGD>tIF;M|zrI+rW2!KQX>A8DHx~qF)L~ z_HlSGFHLzUxa|FA4fp%F1~LqXm=U9!ap zHCk6^5*+Qa8fWt>nR6gLUGBtFj7tq2-R;IHUA--GBag{x@A2Or2*jNX2d_gX@;v6& zWNbF{wU1VcJ|Zk=``bNev*@zP2j}1$!52>@_^knVsb`l@kVg;Rf;S24cLVPlZvv4^ z?)iHre#Dy`fr#}8J$;DphsnYIK4A5B^J+N7$f`oV3k?;K52^dG2xxhfJOeV3k1a|h>*5X_zP5JO6G!ajk4F!f4McZXXK&uJ!<}-D8u4ZTFYw`G zm@;v@n+^R2OJlF8+q(X|BiTM1E|UJq3)tjCPJgn*wTC$ZHmE<1Bv*Yp*UbdC=5QbK z{-;+k3YNS6YUA6r^2mb-4+-O6wLK>NpS`8M0~kf!Q1>Y1v<%<6u zT)OY;YPTG7+I7@VviIvga{OC&J2n2U7$=*zFUC{#*u}`XW$Bs#Jxb)lS0mYrzgK2*D?ZNi~WGJ*<$MAra}ISX^@$VmZm{s zmUP+qUW-}MDBNStl6ake?e{uN#*zEKk0KL(nN4=gj&wN;&~GMHzxa{v%yIH0ab7!EPoQFyH1SC9mUI}~#)b*nd9|TwZ7=hmv><4V@p91?^GP^u!xp5qu zw8%#~*2u5r*_Pxk$JrKn{$wV0@ukn^q9E+%E5gT@&jgQvmP>qtd>wCHy_X@SZgU^xx`k$u1I z(f%roY;Y#movXsm$V_^JJ01>`S4!|BmAK)7XTCyeI}Y4;g@7+guO zM#xk4+=TJ038K(=(E=03^A;!^Pq+G`M0m<4ZIaXI87&IHz~So-GdUn-Zu=52#EfSF zCA;lCU*$x5gxjj#2Dd%v1n#7ntr!H=J1y%-&$$%{k;#p`FRvh7kQu_T;eB2o4EoR z++OAhgHMSc0}=Z*fRM*2Xo}yT*gO4r8!DH-l!;ySdSqgkUXPX7S@xnQy--911y$0z zqDxM@!PH?d;x-B6Hu&*K`yPzC%}<#N*9nxWd_U|b^8M3-cemjE0eBxDo!6G>-v{48 zrvFedzAG4i1jfH{M!CPN^JD!*Zq6b8PEPQW;Z+XHX%sq9W|-FBW~h_dYOn@e2?w6d%A^C>#aw26{UT8fZ@#G|;pF7BeW7 zKA(vEoXm2{UjdXDcsGW_84JGv<`$PTfMy({v#qVZcVV}ziU7B?0Ys^5I<;E+>=D}` zw41n8e%|sIP}0nAd;J)+;GQ6QI0~wWEu;A;G+_Gr zR@ZXtdIQUtQf;zD^4AmGUtxHQqr>(K$orUHM~4CPmS}JoFfoUn1$=jLd~zH$28#iB2?fq{;(u{6#e8-al$HWC9x z?+pyJcbCjSo=egLl^s`fmmnr}L^TM^Y}h&nko*FbS;q!R?#ffOjU!-vI}ydpwMnA{ zYe0h4sDO37fOX9%urTmJFAk(_laLp?IdBt7al3?V;4R^RZ=sFJ^Lcd8t zmGXk>c_|j4*-VRA9@by<@^G0(;GvuKX#OaxN(ZS^D(XN_umz|ksDT^87L5HCGe;|r zHDr=v@^sfDA{_wsG6riyA$aK_Y_rR5z=ob6knM^c8 zDHW zCkzL%ej-n}pWyH0VoZWMq8PJJ1bu_WM9?poCrzJVksR`w9?xK9GSmhu2D9PKvr!z< zCc`tR!xS|Q%7W>OG$17hizJ;B%#$=qrYDM#AH6vXnQ^tyS01cP(i7<7Y*dDU@3CxD zB1@O%mL0*$A`fU*=AZ?PmM4$`26!?DEIURUtQ@gi1$<@YlZiJ4ixr2>0u7a{FJ!{j ztE|6OX+2$=hdQ;xBaDZkAS@tt{wrBGKIqHOmH%IBxR_jL)1)=1J%(5~Cyd_Y?W zZ+B@q2Wb9K3JWjrm$_u)Lga!IIb34x!cxfVCI4XDiUu(3gOwb$ja$R)|S!;Je`w8{y7Y zpa?Cy5mS}eO4Nc6aBJjcUG{QBIRYA(X{e08y#P&;&05FJlIL8myxHX`^gS#Es7}V+ z$EHTKgoWkG98B+r5 zm@#<)=vxB;b7Lq?sX-z5CZT4nq^6Fkxn2eGS{Wo`9zI)x79q5a``m2-qyDoB)U_Ox zymYrx@Y=H#TPui#aKNvJ(y|384!EEx^Pbbu)t(v3o2!inheXAZ# z!zV(OJ?m&F)n9?4>@;t01RAF>Mk9ZC!1zbRD=_lxbOnR(rOK%NV;aSm9oP|@53 zMjysoE-6g3`$8r!F-+O+@nOnTbi6RH}E6shWqo zTN8xY*)W>a1mAO>6R!D%>!<7bkSji=Qh!pV9vRU;aacHS8rMdqKA7(8vQNKHUReFZ z&CuH}52uwMLJQ3fXQ6>+(yiT4!AA`s7c`vS(IZ$1n9uL`GMKMVR-2>r{se%EFuaH&dvpRAu|nb9qHv!uF(QQodn-8ZIcHj$2@ zceSCQu)QEsp2(Rj7W+hQ9|MypptLdtPpP2nmZ2~+;3(0db~G!XMmn^~4t2>}<>FPa z>Xq#f)kl&ACZ^y6l?A&mXhCM!StWSoQouRk$zKF~Gn0Nw1^=WHKK-l{ZG=*3=Nf6w z=Gw+Mf@w5S1k;#!_!3wDK{#P}c?7-XAPQoWGZ4oPcR)ZfLA-;ywlm4o`2$;2MJS?* zCiI~1(G?0T9gL$+g(W>gIkv16BaJj`4PkexGiHG>(kafE$rDx>re|2tV|XZn9H0;|5{J8lZ){#X;=282x7->e0L;tLLKM_dW^jjBZA^6+Dlxlua${aR2E+h zrwpKQ7xV>_ASTC!%E@u@+=}w^ZoZcdI7m|-2d-N_{PZ7Ctds4hyy)?DC~)}P3gm=r z&xUCyBsal)h8)QEBX2+NHC%Tcaz!4Vk)r!eg5i=Gj(sDQ!=-m5 z{c1HVdBESG>(K@r8%ZC#9^KFG=l>Bs9GV8~P!rltVtccD_9IM*v}zMd)3AHqrWrS) zdYsQ?$4gGN(K_qkRF}Qu+jv+U;5tVERsHZBYGrYnS>8MHI&Z<4^5z1SHrQyiWSI{-ZzBO@H)<#Ai-uV+(cIf z+n@k03!@zPR!4;^Z$cFq6m#HrFyQ?*-~n!2s`;Gq*RnpRhLtdr+`9tm6*+zJCa2Kk z>)B_Nejd*&>?~UcL-WgAt=uQ}%U~}bDMqJZZ+Yu*&JQ@JMly3hg_M+GCz-Pm<>F%w zBs(^uAUg>!rGDikva@XZU8nF*DD17Q(v7_7tvevq$+{zH{%tTtveB?964G%RJ3c*y z4T}AeKQ}Xf?i<^mC+QM`+U>4{p0bLrtVb?%@p|O#F(=C26>i*sicua{D7!KnUh{Up zihAFG=Fo3eq5zdF-FUlojF@|t3#uJmP#hh%9>vimL&#lYV_<$pCY3v~qv+0!D9}#B z9F3N98o6e*p;I260Y)BdcQWV9ic<6vx{ad0du&!%yyJaz8QP-Kdsh@aaXVVCxl1tUfFd@U_%E+tKZsO<)@DpbK|^L0fgoL2r|e?%e^a zFYuRH>HCBu{Nb>j=yNCh^e8aK9^Ic*z-ZeI8xOAv55>LWpyKy0PaG1VbH3$V>Gg$| zC(h`^^2DzqI#2QFbbX8AJIVeZD_4!*3x%rHiO^`VIuRbtLpzvmeH99?w;6K)`@d~t z@_QYN8F@MPJ1$sWoRFZ7x;WADG|bXUqv_hGQ8+FaT8f31cbJv}u0@8J8_m0uIG{oo zJcC}q=4dfnJHV)0I5m9I(D4zPsQjuqOE9VzCO-QMY{CykQ~y2aQhc+}eS^^bHzw_m zD&5y9br1ir2f@!mJR~VU$jBey3x@hJQd0}K!{d}tSMzol!y(RR&CiMTE3H+-{ z|BFifa9Hb^eNbZCs)(#Zu<|s@!&rMKJ0^jBm&yK@3havLEQ*Y*OeA%ChVR^u zuwq*WHgZDfi!Y-4(0O0oMW_4~zD>%A8JSS{=X&QmBwKb!AmIsx_vC^Y9$0Z-J3##X zJ-H4XGRDS?^!ma*d1;L3$;$xQ9#{n0`hh$L{GMU7@CR~N=@v>=z4`VS(VOpx;k|jI zLc$MB0^twj2=0zicIgiOPVUkYX2&kgek@>m=xd-_S^>cQ-S$!G4WafGh1wsP+L!nP z8Tbn_aCUZYc=a172IH?pTezNNibptuNhN6<(qjv@4<@EYYLAT`V^ZyZwN%MNQi!AI$lyCdO?Nghxeea z`U)QLLVy*(_;{=`{d^TmLq0&282<8d=PZ->g$nfxW1{9uY26MHse!tsfzM|>Xw(FL=p(ciZA{)HF#wlJ^3;8oHcPY<1m^ZzY+vNaSp%bhxi0+ko{^m`)O|e+XJ?rRHne( zM8iLUd=3(LgE?U^y(^Ao>0#?9$Omcf1zFJC4bF7vQ59$HHV{&Kn$yM+If&QSb6#0;QsL-n#|Fb8E z@jrJ0AOGjrrO+Ml9Rs@DCPmIGq4Y>5j+M*$AlrMn4v^rFr~~XLHLMfFNsWG?vsa<> zof)9B%O+FKmF+Teo^01A<4SxREaAa%E>~A(>pB~UjIy1hlxqN!;J4KP{3DGgCWs>w zPYM{1+hMr6F`?USLS-0_sA1^wEc`bKhK6yxZR3z(JaQoz(xHYQL9)Cc9>e(XcBP4*WdcUU3UpUHi~CReUDdnPIi^iJFR80jY>B*#>_*w@0P-^j4{ z4Yoo5+DsgZk4oVaz;u0SlO=oNGuac|2F8Idq0d+0N%Xl=q;(BsTxTzaE6C2}7R0#x z<5|5e+w_^rrcZ4W8NMmTD`I$e%$#Te6#mt%^n<7x6N{2RtD!^yL8 z0m94UhnLR5`Oa>hP>q;R1=5#taolY7X{2FD(`9OEOlmeZt%qL~*$YQr3`1J@M!nP2 zlm@dJc;*8OCWavo{US^k9*yUGt`Hfx5;PAe=f?e)lmplDez%?FD zVw)4#&=a1_p*$1bn4%bV3GphJ6C9^o=HnE)rVNK@zXfv0 zjo-!7=j-r9`c4_nLtgaALY#=*C(*4yhc%OEbO#Rb=DE#*es4K0LGgk<&VfFZo#Aqz z-%)|5p)5f^%Yi;@6nelDPFF6*ZggiQj)C1`j;zjsGkh#gGS1tX=G5Rw)F-%m9k?UL z;MUNgY8;K$3CFkHo^I42hON5Ih*GJC)Dq(6`ph8)Q!nGcRp}_EI1E2 za7K^GIj06Ve-@lSI&j8}!kN+qh2A^mSj(D6Lz8N8EcQ*HS#>x8dnc$PC-%bp;dQ`& zsl-3Yfj@2pzX|6_wAl`{6GqVTsOC}RPEResQFyV$y3m1j;wY>tGu`PI^*9<2O8or} z{PCmk%K_|8|9%CiCKBr{4y=>LWPN@ius$lWKIFifFed9`R|4x_CDs=mSQAHKbuf7I zA~5)f#D7@LPg53Smr*hZ_jLmPMdCW8=JK9AidM)Aeza)`#6Uozh@tVYj;PE&Ne)~M zcqYv?fN{wZ!(<1BDWfpx8i1ilV#s%3NFKpZj~gZ0C2Cr_u2F3{L-Ro+2){~VSf*z1 z){hWAlRnV|3{+xR@4&zdO^56`rv>}dbw(VIcS>B3IdDyNP{VTiqGmh;zb-Mn;=qtL z3InK_iNBB-{;6i5-?gYMXBx~M(0bEaaU4D;as8_1@}4$|8qO79!f~*89^DJ$QXpNm z6zgr{&Gb=tz!pFHqY1~Ose&g(#RES$ITGD|GtPq3zg$JJirjm~C@LOl!|A9+kTTFDaX*gL@H4EV_tPI z!%c8p0I!x9u5n=ac?82Ee2+wXrvvSo5wx@E+yM~&w8ZeF1H;)-7^W=+hJzBrI}Qxz z)C{bigXqk}-$?Yw?DU4^IN0YBG%7|7%YkdA#5G;brGaHwUP995Kj7B?1O2YXa{vGU diff --git a/versione-corrente/en/_images/cross_device_auth_seq_diagram.svg b/versione-corrente/en/_images/cross_device_auth_seq_diagram.svg index 1655856e4..dd1984a5d 100644 --- a/versione-corrente/en/_images/cross_device_auth_seq_diagram.svg +++ b/versione-corrente/en/_images/cross_device_auth_seq_diagram.svg @@ -1,2 +1,2 @@ -UserUserWallet InstanceWallet InstanceRelying PartyRelying Party1Request Protected ResourceAuthentication2Create Authorization Request3Create request_uri resource4QRCode OR HTTP Redirect (302) with the request_uriCross Device only5Scan QR Code6Extract Request URIfrom QR Code7GET Request Objectby Request URIwith Wallet Instance Attestationas DPoP token8Attest Wallet Instance Trust9Request Object10Attest Relying Party Trust11Verify Relying Party Metadata12Validate JWT Signature13Validate Requested VP(s)14Request for consent15Confirmed16POST Authorization Responsewith vp_token17Attest Credential Issuer Trust18Validate JWT Signature19Process the credential20Process Authorization ResponseProcess phase requires to:- validate integrity, authenticity, and holder binding of VP(s)- ensure all VP(s) are linked with Verifier- ensure all VP(s) are linked with current session nonce- ensure all VC(s) requested is present21OK \ No newline at end of file +User's DevicesUserUserWallet InstanceWallet Instanceuser-agentuser-agentRelying PartyRelying Party1Web Service navigation2Request Protected ResourceUser Authentication (Presentation Phase)3Create Authorization Request(statebound to user-agent cookie)4Create request_uri resource5QRCode OR HTTP Redirect (302) with the request_uri endpointCross Device only6Show the QRCode page7Open the Wallet Instance app, local authentication8Scan QR Code9Extract Request URIfrom QR Code10GET Request Objectby Request URIwith Wallet Instance Attestationas DPoP token11Attest that the Wallet Provideris part of the Federationand the Wallet Instance is not revoked,then evaluate the Wallet capabilities.12Request Object13Attest Relying Party Trust14Verify Relying Party Metadata15Validate JWT Signature16Validate Requested VP(s)17Request for consent18Confirmed19POST Authorization Responsewith vp_token20Evaluate the Verifiable Presentation token21Attest Credential Issuer Trustand Validate JWT Signature22Process the credentialProcess the credential:Check Holder Key Binding and Proof of Possession:- using the public key bound in\n the Credential to verify the VP token. Then Extract the disclosed attributes: \n Check if all the required data are available23Update the User session (cookie updated)24HTTP/1.1 200 OK{"redirect_uri": https url with response_code }Same Device only25Use the redirect_uriCross Device only26QRCode JS: Check authentication state (HTTP request with cookie)27Authentication state given with HTTP codes, untill expired or successful \ No newline at end of file diff --git a/versione-corrente/en/_images/verifier_qr_code.svg b/versione-corrente/en/_images/verifier_qr_code.svg index 091e211bc..4f83ce3ff 100644 --- a/versione-corrente/en/_images/verifier_qr_code.svg +++ b/versione-corrente/en/_images/verifier_qr_code.svg @@ -1,2 +1,45 @@ - - \ No newline at end of file + + + + + + diff --git a/versione-corrente/en/_sources/relying-party-solution.rst.txt b/versione-corrente/en/_sources/relying-party-solution.rst.txt index ecf23b9be..d010a4946 100644 --- a/versione-corrente/en/_sources/relying-party-solution.rst.txt +++ b/versione-corrente/en/_sources/relying-party-solution.rst.txt @@ -16,31 +16,33 @@ This section describes how a Relying Party may ask to a Wallet Instance the pres In this section the following flows are described: -- **Remote Same Device Flow**, where the Verifier and the Wallet Instance acts in the same device. -- **Remote Cross Device Flow**, where the Verifier and the Wallet Instance acts in different devices and the Verifier is a remote Relying Party. +- **Remote Same Device Flow**, where the user-agent and the Wallet Instance are used in the same device. +- **Remote Cross Device Flow**, where the user-agent and the Wallet Instance are used in different devices. -The flows are analyzed in this chapter, taking into account security and privacy considerations. - -.. note:: - Relying Party and Verifier are the same entity. +In the **Same Device** and **Cross Device** Authorization Flows described in this chapter, the User interacts with a remote Relying Party. Remote Protocol Flow -------------------- -In the **Same Device** and **Cross Device** Authorization Flows, the User interacts with a remote Relying Party. -This scenario requests the Verifier to provide the URL where the signed request object is available. -The Verifier MUST detect the device type of the requestor (Wallet Instance), if it is a mobile device or a workstationm and activate one the supported remote flows: +In this scenario the Relying Party provides the URL where the signed presentation request object is available for download. + +Depending on whether the Relying Party client is on a mobile device or a workstation, it must activate one of the supported remote flows: -* In the *Same Device** flow the Verifier MUST provide a HTTP redirect (302) location to the Wallet Instance; -* In the *Cross Device** flow the Verifier MUST provide a QR Code which the User frames with their Wallet Instance. +* **Same Device**, the Relying Party MUST provide a HTTP redirect (302) location to the Wallet Instance; +* **Cross Device**, the Relying Party MUST provide a QR Code which the User frames with their Wallet Instance. -Once the Relying Party authentication is performed by the Wallet Instance, the User gives the consent for the release of the personal data, in the form of a Verifiable Presentation. +Once the Wallet Instance establishes the trust with the Relying Party, the User gives the consent for the release of the personal data, in the form of a Verifiable Presentation. +Below a sequence diagrams that summarizes the interactions between all the involved parties. .. image:: ../../images/cross_device_auth_seq_diagram.svg :align: center - :target: //www.plantuml.com/plantuml/png/ZPDFQnin4CNl-XH3JWaqKDfRm2N13MrQYhUEarm2GLwDRJNhaJiQhUj--iwkkki_nf3RUlJJqvkPv-iebYKjAsEJ14hBAR8nAwtvqgyi2PmzHEGpi17IVlt9LXKAt95AK8ajijv7nbXjFCsXqEAc1Meq9i7b9_suWZ7-JXW52Ww2fQ3JIWo9IuK60xX9ia1IDIi-4C1WO6mflhQ2ZKwDdSwGKMij7zZ_RV5E_1ZZVF2Is0DtxsLgVGK_nyFW44PZ-3gP5AhYFAitEF_u_iC5hBqiG1Px8iRXhgt-UstCd4DQwRiXHlYCjIyH0bKRiywFmNrfIL-4vic-UFj7M4NwwJoCxvvfnc7PaqZEPBnfwyljf6T7qr-DsMUQRdRlQw5rVh0ok15HefsN8bPD5g402Qz89qQTRnm9JJZz7tNkOT_FmOHoextMNaYoKeyy8llPvW3vWMAT5RkbREMrWF3jQGBtVavM4kFHSUSA7JmMv_4Y0sdhTXOOoa0HIRRj9vEwheQ1PfwNw7ORIjjD5AFxoL4AuwfHrF7cyDIhbpVCTyZeckZR2kvYJCZzX3DuikSjK70eCSOshMKlTmoSC6me24AeaVVWrSB6d7xFgEBXIZkxXBfpuqbmpbusxy1sVz_yYnmiGkMGOUh9DTiCixo7HW0f9aRGMEKQM4QeFBsYQ-UMa-2HtmINYHb98AhbfYaALEBXpM5pa_j8U6sECIBjvdZqVNVLQsCEedoDvDAo-WS0 + :target: //www.plantuml.com/plantuml/uml/XLLTJoCt57tthxXA7neGK7Rx5ebgMKg1tRPCax2y8277labS77lgZmbfrV_UQtkOJ4YaIWXfx7EFpxaVDvzyu2x4bMOy1clYQeQECNOfWdKmUF3e1i0zHCPczhKSVE_XPsoKG3-0xtvLYsNuh2EocdYKK3Kt0GQFN6iCS6U8tWZC7EjTI2IgKxv04yeBdA6HGA_imiQeDyeieAB3JKOso5Y4qvyeP0IFE8C9kYG736_KWWTb3OkS08GSmHZ_YkW3LCu6504bdNWRdI2MYmj8Xk0oXYKQUZC7mx1owEcxV5LBxl48BYuO5q4rF61IqE3R0rSEwInpMAV-pa7TgqzcU7pi0m6EZybR98V1mjOw26jV5D7l4xf2yHoT0jTApgXY_8_nbPK8zsEudKuhUb0gH_vW-EFvnoDOgx24iDnbeVpMLfd09FQjiAsnDMCBPsDD6gn_ApDOepTjHkC89akxpjIjWfgCf7hGxNe4zpMQVFkk0u3NzGbeAxW6lfDkjeOIEX7S42aarkxm-ZKuajSbz65yzsJcpguw9BbY16-JTtCzxR3tipzHf1hCDlruEaZfsLDu6GBwKdI2SB9VsGg2VK733jU-3I6_FFHDKwyrIg9xCg0yf7O6Ey-0Nv2EynDqnuqyc2gACJQ0muRUbYU4JFa2RBYE9A4V8tZDPqgheD2VaR2s3Bifs2zuoMwdVsV6OEgY3nta6pertxo3_8Q1Inxu5iMraed-o-CK9cfXU8WEzwzRNIZXMpNqHmKGjthdre6m9atVDkLnsrvNrioLMw7iMuhRybVta-dUAFewCL9DorWqzNCfwk6QNlVINDmhFjC8EqkX4Emr0esk98pY6kwyZ-XACjjQ7qvIZuNwHg3t-MNHKJ7cZAKesw0Z6EtSkvlRwStu-lftTZXYnE1gYU85RgsM5FGLD_1P6Ka5p48eYlgH_YhhFOMJ8mevXUW9aRdgEDDAm0i5bgsbJ6d3liLWeIdTaLFLpiePOp2bVkr6DrrAvOMs7YNm49oQnO1-H1LfTQevK3zt2qiv0gR-0kuGUCELfXBaKS-fOBsSFTIoBLRPvQqV69RD2Z7VooFOJaVUc3zyEFi07y_FuVuhoVXduCe2pPjoC89b2BM7w7Jf6TSsqRD8A-_VVlUjtqzNsQ0JliAT1RfkDpV9B7BxBoPh_xTx6-os_fV9gCtSxYu57vAAOJBujlgBWVPtfYIXwBWy5BfG3PeIaacINty2aN1K87ojSssi0nz5whnvr5dx9_eNL_e_ + + +The details of each step is described in the previous picture are described in the table below. + .. list-table:: :widths: 50 50 @@ -48,119 +50,101 @@ Once the Relying Party authentication is performed by the Wallet Instance, the U * - **Id** - **Description** - * - **1** + * - **1**, **2** - The User asks for access to a protected resource, the Relying Party redirects the User to a discovery page in which the User selects the *Login with the Wallet* button. The Authorization flow starts. - * - **2** - - The Relying Party creates an Authorization Request which contains the scopes of the request. - * - **3** - - In the **Same Device Flow** the Relying Party responses with the Request URI in the form of HTTP Location (302). In the **Cross Device Flow** the Request URI is provided in the form of a QR Code. - * - **4** - - Only in **Cross Device Flow**: The QR Code is shown to the User that frames it. - * - **5** and **6** - - Only in **Cross Device Flow**: The Wallet Instance decodes the QR Code and extracts the Request URI from the payload of the QR Code. - * - **7** + * - **3**, **4**, **5** + - The Relying Party creates an Authorization Request which contains the scopes of the request and send it back. + * - **6**, **7**, **8**, **9** + - In the **Cross Device Flow**: the Request URI is provided in the form of a QR Code that is shown to the User that frames it. The Wallet Instance decodes the QR Code and extracts the Request URI from the QR Code payload. In the **Same Device Flow** the Relying Party responses with the Request URI in the form of HTTP Redirect Location (302). + * - **10** - The Wallet Instance requests the content of the Authorization Request by invoking the Request URI, passing an Authorization DPoP HTTP Header containing the Wallet Instance Attestation and the DPoP proof HTTP Header. - * - **8** + * - **11** - The Relying Party attests the trust to the Wallet Instance using the Wallet Instance Attestation and verifies its capabilities. - * - **9** + * - **12** - The Relying Party issues a signed Request Object, returning it as response. - * - **10** - - The Wallet Instance attests the trust to the Relying Party by verifying the ``trust_chain``. - * - **11** - - The Wallet Instance verifies Request Object JWS. - * - **12** and **13** - - The Wallet Instance verifies the signature of the request and processes the Relying Party metadata to attests its capabilities and allowed scopes, attesting which Verifiable Credentials and personal attributes the Relying Party is granted to request. - * - **14** - - The Wallet Instance requests the User's consent for the release of the credentials. - * - **15** - - The User authorizes and consents the presentation of their credentials, by selecting/deselecting the personal data to release. - * - **16** - - The Wallet Instance provides the Authorization Response to the Relying Party. - * - **17** - - The Relying Party attests the Credential Issuer trust. - * - **18** - - The Relying Party verifies the signature of the Authorization Response JWS. + * - **13**, **14**, **15**, **16** + - The Wallet Instance verifies Request Object JWS. The Wallet Instance attests the trust to the Relying Party by verifying the ``trust_chain``. The Wallet Instance verifies the signature of the request and processes the Relying Party metadata to attests its capabilities and allowed scopes, attesting which Verifiable Credentials and personal attributes the Relying Party is granted to request. + * - **17**, **18** + - The Wallet Instance requests the User's consent for the release of the credentials. The User authorizes and consents the presentation of their credentials, by selecting/deselecting the personal data to release. * - **19** - - The Relying Party verifies the Authorization Response, performs checks for integrity, revocation and proof of possession of the presented credentials. - * - **20** + - The Wallet Instance provides the Authorization Response to the Relying Party using a HTTP method POST (response Mode "direct_post"). + * - **20**, **21**, **22** + - The Relying Party verifies the Authorization Response, extract the Credential and attests the trust to the credentials Issuer. The Relying Party verifies the revocation status and the proof of possession of the presented credential. + * - **23** + - The Relying Party authenticates the User and update its session. + * - **24** - The Relying Party notifies the Wallet Instance that the operation ends successfully. Authorization Request Details ----------------------------- -In the **Cross Device Flow**, a QR Code is shown by the Relying Party to the User in order to issue the Authorization Request. +The Relying Party creates a signed request object, then gives it to the Wallet Instance through a HTTP URL (request URI) that points to the resource where the signed request object MUST be available for download. The URL parameters contained in the Relying Party response, containing the request URI, are described in the Table below. -The User frames the QR Code using the Wallet Instance, then grants the consent to release their attributes to the Relying Party. +.. list-table:: + :widths: 25 50 + :header-rows: 1 -The payload of the QR Code is a **Base64 encoded string** based on the following format: + * - **Name** + - **Description** + * - **client_id** + - Unique identifier of the Relying Party. + * - **request_uri** + - The HTTP URL used by the Wallet Instance to retrieve the signed request object from the Relying Party. The URL is intentionally extended with a random value that uniquely identifies the transaction. + +Below a non-normative example of the response containing the required parameters previously described. .. code-block:: javascript eudiw://authorize?client_id=`$client_id`&request_uri=`$request_uri` -The `request_uri` parameter MUST contain the endpoint where the signed presentation request object is available for download. The value corresponding to that endpoint MUST be randomized, according to `RFC 9101, -The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) `_ Section 5.2.1. +The value corresponding to the `request_uri` endpoint MUST be randomized, according to `RFC 9101, The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) `_ Section 5.2.1. -In the **Same Device Flow** the Relying Party uses a HTTP response redirect (status code 302) as represented in the following non-normative example: +In the **Same Device Flow** the Relying Party uses a HTTP response redirect (status code 302) as represented in the following non-normative example: .. code:: text HTTP/1.1 /pre-authz-endpoint Found Location: https://wallet-providers.eudi.wallet.gov.it? - client_id=https%3A%2F%2Fverifier.example.org%2Fcb - &request_uri=https%3A%2F%2Fverifier.example.org%2Frequest_uri%3Fid%3Drandom-value - -.. note:: - The Same Device flow proposed in this specification is under discussion and must be considered as experimental. - -Where: - -.. list-table:: - :widths: 25 50 - :header-rows: 1 - - * - **Name** - - **Description** - * - **client_id** - - Client unique identifier of the Relying Party. - * - **request_uri** - - The Relying Partyrequest URI used by the Wallet Instance to retrieve the Request Object, extended with a random value passed by URL parameter. + client_id=https%3A%2F%2Frelying-party.example.org%2Fcb + &request_uri=https%3A%2F%2Frelying-party.example.org%2Frequest_uri%3Fid%3Drandom-value -.. note:: - The *error correction level* chosen for the QR Code MUST be Q (Quartily - up to 25%), since it offers a good balance between error correction capability and data density/space. This level of quality and error correction allow the QR Code to remain readable even if it is damaged or partially obscured. +In the **Cross Device Flow**, a QR Code is shown by the Relying Party to the User in order to issue the Authorization Request. The User frames the QR Code using their Wallet Instance. The QR Code payload MUST be a **Base64 encoded string**. -Below is a non-normative example of a QR Code issued by the Relying Party: +Below is represented a non-normative example of a QR Code issued by the Relying Party. .. image:: ../../images/verifier_qr_code.svg :align: center -Below is a non-normative example of the QR Code raw payload: +Below is represented a non-normative example of the QR Code raw payload: .. code-block:: text ZXVkaXc6Ly9hdXRob3JpemU/Y2xpZW50X2lkPWh0dHBzOi8vdmVyaWZpZXIuZXhhbXBsZS5vcmcmcmVxdWVzdF91cmk9aHR0cHM6Ly92ZXJpZmllci5leGFtcGxlLm9yZy9yZXF1ZXN0X3VyaS8= -Below follows its Base64 decoded content: +The decoded content of the previous Base64 value is represented below: .. code-block:: text - eudiw://authorize?client_id=https://verifier.example.org&request_uri=https%3A%2F%2Fverifier.example.org%2Frequest_uri%3Fid%3Drandom-value + eudiw://authorize?client_id=https://relying-party.example.org&request_uri=https%3A%2F%2Frelying-party.example.org%2Frequest_uri%3Fid%3Drandom-value + +.. note:: + The *error correction level* chosen for the QR Code MUST be Q (Quartily - up to 25%), since it offers a good balance between error correction capability and data density/space. This level of quality and error correction allow the QR Code to remain readable even if it is damaged or partially obscured. Cross Device Flow Status Checks and Security -------------------------------------------- -When the flow is Cross Device, the user-agent needs to check the session status to the endpoint specialized for this scope and made available by Relying Party. This check MAY be implemented in the form of JavaScript code, within the page that shows the QRCode, then the user-agent checks the status with a polling strategy in seconds or a push strategy (eg: web socket). +When the flow is Cross Device, the user-agent needs to check the session status to the endpoint made available by Relying Party (status endpoint). This check MAY be implemented in the form of JavaScript code, within the page that shows the QRCode, then the user-agent checks the status with a polling strategy in seconds or a push strategy (eg: web socket). -Since the QRcode page and the specialized endpoint are implemented by the Relying Party, it is under its responsability the implementation details of this solution, since it is related to the Relying Party's internal API. +Since the QRcode page and the status endpoint are implemented by the Relying Party, it is under its responsability the implementation details of this solution, since it is related to the Relying Party's internal API. The Relyng Party MUST bind the request of the user-agent, with a Secured and Httponly session cookie, with the issued request (using the ``random-value`` parameter within the ``request_uri`` value). The HTTP response returned by this specialized endpoint MAY contain the HTTP status codes listed below: -* **201 Created**. The signed request object was issued by the Relying Party that waits to be downloaded by the Wallet Instance at the **request_uri** endpoint. +* **204 No Content**. The signed request object was issued by the Relying Party that waits to be downloaded by the Wallet Instance at the **request_uri** endpoint. * **202 Accepted**. This response is given when the signed request object was obtained by the Wallet Instance. * **302 Found**. The Wallet Instance has sent the presentation to the Relying Party's **redirect_uri** endpoint and the User authentication is successful. The Relying Party updates the session cookie allowing the user-agent to access to the protected resource. The ``Location`` within the HTTP Response allows the user-agent to leave the QRCode page. * **403 Forbidden**. The Wallet Instance or its User have rejected the request, or the request is expired. The QRCode page SHOULD be updated with an error message. @@ -171,9 +155,9 @@ Below a non-normative example of the HTTP Request to this specialized endpoint: .. code:: - GET /session-state?state=3be39b69-6ac1-41aa-921b-3e6c07ddcb03 + GET /session-state?id=3be39b69-6ac1-41aa-921b-3e6c07ddcb03 HTTP/1.1 - HOST: verifier.example.org + HOST: relying-party.example.org Request Object Details @@ -191,7 +175,7 @@ Below a non-normative example of HTTP request made by the Wallet Instance to the .. code-block:: javascript GET /request_uri HTTP/1.1 - HOST: verifier.example.org + HOST: relying-party.example.org Authorization: DPoP $WalletInstanceAttestation DPoP: $WalletInstanceAttestationProofOfPossession @@ -277,7 +261,7 @@ Therein a non-normative example of the DPoP decoded content: { "jti": "f47c96a1-f928-4768-aa30-ef32dc78aa69", "htm": "GET", - "htu": "https://verifier.example.org/request_uri", + "htu": "https://relying-party.example.org/request_uri", "iat": 1562262616, "ath": "fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKCAqksmQEo" } @@ -304,13 +288,13 @@ The Relying Party issues a signed request object, where a non-normative example { "scope": "eu.europa.ec.eudiw.pid.it.1 pid-sd-jwt:unique_id+given_name+family_name", "client_id_scheme": "entity_id", - "client_id": "https://verifier.example.org", + "client_id": "https://relying-party.example.org", "response_mode": "direct_post.jwt", "response_type": "vp_token", - "response_uri": "https://verifier.example.org/callback", + "response_uri": "https://relying-party.example.org/callback", "nonce": "2c128e4d-fc91-4cd3-86b8-18bdea0988cb", "state": "3be39b69-6ac1-41aa-921b-3e6c07ddcb03", - "iss": "https://verifier.example.org", + "iss": "https://relying-party.example.org", "iat": 1672418465, "exp": 1672422065 } @@ -358,7 +342,7 @@ The JWS payload parameters are described herein: * - **state** - Unique identifier of the Authorization Request. * - **iss** - - The entity that issued the JWT. It will be populated with the Verifier URI + - The entity that issued the JWT. It will be populated with the Relying Party URI * - **iat** - The NumericDate representing the time at which the JWT was issued * - **exp** @@ -408,8 +392,8 @@ Here a non-normative example of ``presentation_definition``: - ``presentation_definition``: JSON object according to `Presentation Exchange `_. This parameter MUST not be present when ``presentation_definition_uri`` or ``scope`` are present. - ``presentation_definition_uri``: string containing an HTTPS URL pointing to a resource where a Presentation Definition JSON object can be retrieved. This parameter MUST be present when ``presentation_definition parameter`` or a ``scope`` value representing a Presentation Definition is not present. - - ``client_metadata``: A JSON object containing the Verifier metadata values. The ``client_metadata`` parameter MUST NOT be present when ``client_id_scheme`` is ``entity_id``. The ``client_metadata`` is taken from ``trust_chain``. - - ``client_metadata_uri``: string containing an HTTPS URL pointing to a resource where a JSON object with the Verifier metadata can be retrieved. The ``client_metadata_uri`` parameter MUST NOT be present when ``client_id_scheme`` is ``entity_id``. + - ``client_metadata``: A JSON object containing the Relying Party metadata values. The ``client_metadata`` parameter MUST NOT be present when ``client_id_scheme`` is ``entity_id``. The ``client_metadata`` is taken from ``trust_chain``. + - ``client_metadata_uri``: string containing an HTTPS URL pointing to a resource where a JSON object with the Relying Party metadata can be retrieved. The ``client_metadata_uri`` parameter MUST NOT be present when ``client_id_scheme`` is ``entity_id``. - ``redirect_uri``: the redirect URI to which the Wallet Instance MUST redirect the Authorization Response. This parameter MUST not be present when ``response_uri`` is present. @@ -420,14 +404,14 @@ After getting the User authorization and consent for the presentation of the cre .. note:: **Why the response is encrypted?** - The response sent from the Wallet Instance to the Relying Party is encrypted to prevent a malicious agent from gaining access to the plaintext information transmitted within the verifier's network. This is only possible if the network environment of the verifier employs `TLS termination `_. Such technique employs a termination proxy that acts as an intermediary between the client and the webserver and handles all TLS-related operations. In this manner, the proxy deciphers the transmission's content and either forwards it in plaintext or by negotiates an internal TLS session with the actual webserver's intended target. In the first scenario, any malicious actor within the network segment could intercept the transmitted data and obtain sensitive information, such as an unencrypted response, by sniffing the transmitted data. + The response sent from the Wallet Instance to the Relying Party is encrypted to prevent a malicious agent from gaining access to the plaintext information transmitted within the Relying Party's network. This is only possible if the network environment of the Relying Party employs `TLS termination `_. Such technique employs a termination proxy that acts as an intermediary between the client and the webserver and handles all TLS-related operations. In this manner, the proxy deciphers the transmission's content and either forwards it in plaintext or by negotiates an internal TLS session with the actual webserver's intended target. In the first scenario, any malicious actor within the network segment could intercept the transmitted data and obtain sensitive information, such as an unencrypted response, by sniffing the transmitted data. Below a non-normative example of the request: .. code-block:: http POST /callback HTTP/1.1 - HOST: verifier.example.org + HOST: relying-party.example.org Content-Type: application/x-www-form-urlencoded response=eyJhbGciOiJFUzI1NiIs...9t2LQ @@ -466,7 +450,7 @@ Where the following parameters are used: * - **presentation_submission** - JSON Object contains mappings between the requested Verifiable Credentials and where to find them within the returned VP Token. * - **state** - - Unique identifier provided by the Verifier within the Authorization Request. + - Unique identifier provided by the Relying Party within the Authorization Request. Below is a non-normative example of the ``vp_token`` decoded content, represented in the form of JWS header and payload, separated by a period: @@ -482,7 +466,7 @@ Below is a non-normative example of the ``vp_token`` decoded content, represente { "iss": "https://wallet-provider.example.org/instance/vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c", "jti": "3978344f-8596-4c3a-a978-8fcaba3903c5", - "aud": "https://verifier.example.org/callback", + "aud": "https://relying-party.example.org/callback", "iat": 1541493724, "exp": 1573029723, "nonce": "2c128e4d-fc91-4cd3-86b8-18bdea0988cb" @@ -508,18 +492,18 @@ Where the following parameters are used: * - **aud** - Audience of the VP, corresponding to the ``redirect_uri`` within the Authorization request issued by the Relying Party. * - **nonce** - - Nonce provided by the Verifier within the Authorization Request. + - Nonce provided by the Relying Party within the Authorization Request. Relying Party Entity Configuration --------------------------------------------- -According to the `Trust Model`_ section, the Verifier is a Federation Entity and MUST expose a .well-known endpoint containing its Entity Configuration. +According to the `Trust Model`_ section, the Relying Party is a Federation Entity and MUST expose a .well-known endpoint containing its Entity Configuration. Below a non-normative example of the request made by the Wallet Instance to the *openid-federation* .well-known endpoint to obtain the Relying Party Entity Configuration: .. code-block:: http GET /.well-known/openid-federation HTTP/1.1 - HOST: verifier.example.org + HOST: relying-party.example.org Below is a non-normative response example: @@ -566,14 +550,14 @@ Below is a non-normative response example: }, "contacts": [ - "ops@verifier.example.org" + "ops@relying-party.example.org" ], "request_uris": [ - "https://verifier.example.org/request_uri" + "https://relying-party.example.org/request_uri" ], "redirect_uris": [ - "https://verifier.example.org/callback" + "https://relying-party.example.org/callback" ], "default_acr_values": [ @@ -746,12 +730,12 @@ Below is a non-normative response example: ], }, "federation_entity": { - "organization_name": "OpenID Wallet Verifier example", - "homepage_uri": "https://verifier.example.org/home", - "policy_uri": "https://verifier.example.org/policy", - "logo_uri": "https://verifier.example.org/static/logo.svg", + "organization_name": "OpenID Wallet Relying Party example", + "homepage_uri": "https://relying-party.example.org/home", + "policy_uri": "https://relying-party.example.org/policy", + "logo_uri": "https://relying-party.example.org/static/logo.svg", "contacts": [ - "tech@verifier.example.org" + "tech@relying-party.example.org" ] } }, diff --git a/versione-corrente/en/relying-party-solution.html b/versione-corrente/en/relying-party-solution.html index 03e78a43e..1e6098cf5 100644 --- a/versione-corrente/en/relying-party-solution.html +++ b/versione-corrente/en/relying-party-solution.html @@ -1025,25 +1025,22 @@

{{ item.title }}

In this section the following flows are described:

    -

  • Remote Same Device Flow, where the Verifier and the Wallet Instance acts in the same device.

    • -

  • Remote Cross Device Flow, where the Verifier and the Wallet Instance acts in different devices and the Verifier is a remote Relying Party.

    • +

  • Remote Same Device Flow, where the user-agent and the Wallet Instance are used in the same device.

    • +

  • Remote Cross Device Flow, where the user-agent and the Wallet Instance are used in different devices.

-

The flows are analyzed in this chapter, taking into account security and privacy considerations.

-
-

Note

-

Relying Party and Verifier are the same entity.

-
+

In the Same Device and Cross Device Authorization Flows described in this chapter, the User interacts with a remote Relying Party.

Remote Protocol Flow¶

-

In the Same Device and Cross Device Authorization Flows, the User interacts with a remote Relying Party. -This scenario requests the Verifier to provide the URL where the signed request object is available.

-

The Verifier MUST detect the device type of the requestor (Wallet Instance), if it is a mobile device or a workstationm and activate one the supported remote flows:

+

In this scenario the Relying Party provides the URL where the signed presentation request object is available for download.

+

Depending on whether the Relying Party client is on a mobile device or a workstation, it must activate one of the supported remote flows:

    -

  • In the Same Device* flow the Verifier MUST provide a HTTP redirect (302) location to the Wallet Instance;

    • -

  • In the Cross Device* flow the Verifier MUST provide a QR Code which the User frames with their Wallet Instance.

    • +

  • Same Device, the Relying Party MUST provide a HTTP redirect (302) location to the Wallet Instance;

    • +

  • Cross Device, the Relying Party MUST provide a QR Code which the User frames with their Wallet Instance.

-

Once the Relying Party authentication is performed by the Wallet Instance, the User gives the consent for the release of the personal data, in the form of a Verifiable Presentation.

-_images/cross_device_auth_seq_diagram.svg +

Once the Wallet Instance establishes the trust with the Relying Party, the User gives the consent for the release of the personal data, in the form of a Verifiable Presentation.

+

Below a sequence diagrams that summarizes the interactions between all the involved parties.

+_images/cross_device_auth_seq_diagram.svg +

The details of each step is described in the previous picture are described in the table below.

@@ -1055,58 +1052,40 @@

Remote Protocol Flow

- + - - - - - - - - + + - - + + - + - + - + - - - - - - - - - - - - - - + + - - + + - - + + - - + + - - + + - + @@ -1114,26 +1093,7 @@

Remote Protocol Flow

Authorization Request Details¶

-

In the Cross Device Flow, a QR Code is shown by the Relying Party to the User in order to issue the Authorization Request.

-

The User frames the QR Code using the Wallet Instance, then grants the consent to release their attributes to the Relying Party.

-

The payload of the QR Code is a Base64 encoded string based on the following format:

-
eudiw://authorize?client_id=`$client_id`&request_uri=`$request_uri`
-
-
-

The request_uri parameter MUST contain the endpoint where the signed presentation request object is available for download. The value corresponding to that endpoint MUST be randomized, according to RFC 9101, -The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) Section 5.2.1.

-

In the Same Device Flow the Relying Party uses a HTTP response redirect (status code 302) as represented in the following non-normative example:

-
HTTP/1.1 /pre-authz-endpoint Found
-Location: https://wallet-providers.eudi.wallet.gov.it?
-client_id=https%3A%2F%2Fverifier.example.org%2Fcb
-&request_uri=https%3A%2F%2Fverifier.example.org%2Frequest_uri%3Fid%3Drandom-value
-
-
-
-

Note

-

The Same Device flow proposed in this specification is under discussion and must be considered as experimental.

-
-

Where:

+

The Relying Party creates a signed request object, then gives it to the Wallet Instance through a HTTP URL (request URI) that points to the resource where the signed request object MUST be available for download. The URL parameters contained in the Relying Party response, containing the request URI, are described in the Table below.

1

1, 2

The User asks for access to a protected resource, the Relying Party redirects the User to a discovery page in which the User selects the Login with the Wallet button. The Authorization flow starts.

2

The Relying Party creates an Authorization Request which contains the scopes of the request.

3

In the Same Device Flow the Relying Party responses with the Request URI in the form of HTTP Location (302). In the Cross Device Flow the Request URI is provided in the form of a QR Code.

4

Only in Cross Device Flow: The QR Code is shown to the User that frames it.

3, 4, 5

The Relying Party creates an Authorization Request which contains the scopes of the request and send it back.

5 and 6

Only in Cross Device Flow: The Wallet Instance decodes the QR Code and extracts the Request URI from the payload of the QR Code.

6, 7, 8, 9

In the Cross Device Flow: the Request URI is provided in the form of a QR Code that is shown to the User that frames it. The Wallet Instance decodes the QR Code and extracts the Request URI from the QR Code payload. In the Same Device Flow the Relying Party responses with the Request URI in the form of HTTP Redirect Location (302).

7

10

The Wallet Instance requests the content of the Authorization Request by invoking the Request URI, passing an Authorization DPoP HTTP Header containing the Wallet Instance Attestation and the DPoP proof HTTP Header.

8

11

The Relying Party attests the trust to the Wallet Instance using the Wallet Instance Attestation and verifies its capabilities.

9

12

The Relying Party issues a signed Request Object, returning it as response.

10

The Wallet Instance attests the trust to the Relying Party by verifying the trust_chain.

11

The Wallet Instance verifies Request Object JWS.

12 and 13

The Wallet Instance verifies the signature of the request and processes the Relying Party metadata to attests its capabilities and allowed scopes, attesting which Verifiable Credentials and personal attributes the Relying Party is granted to request.

14

The Wallet Instance requests the User's consent for the release of the credentials.

15

The User authorizes and consents the presentation of their credentials, by selecting/deselecting the personal data to release.

13, 14, 15, 16

The Wallet Instance verifies Request Object JWS. The Wallet Instance attests the trust to the Relying Party by verifying the trust_chain. The Wallet Instance verifies the signature of the request and processes the Relying Party metadata to attests its capabilities and allowed scopes, attesting which Verifiable Credentials and personal attributes the Relying Party is granted to request.

16

The Wallet Instance provides the Authorization Response to the Relying Party.

17, 18

The Wallet Instance requests the User's consent for the release of the credentials. The User authorizes and consents the presentation of their credentials, by selecting/deselecting the personal data to release.

17

The Relying Party attests the Credential Issuer trust.

19

The Wallet Instance provides the Authorization Response to the Relying Party using a HTTP method POST (response Mode "direct_post").

18

The Relying Party verifies the signature of the Authorization Response JWS.

20, 21, 22

The Relying Party verifies the Authorization Response, extract the Credential and attests the trust to the credentials Issuer. The Relying Party verifies the revocation status and the proof of possession of the presented credential.

19

The Relying Party verifies the Authorization Response, performs checks for integrity, revocation and proof of possession of the presented credentials.

23

The Relying Party authenticates the User and update its session.

20

24

The Relying Party notifies the Wallet Instance that the operation ends successfully.
@@ -1146,43 +1106,56 @@

Authorization Request Details

- + - +

client_id

Client unique identifier of the Relying Party.

Unique identifier of the Relying Party.

request_uri

The Relying Partyrequest URI used by the Wallet Instance to retrieve the Request Object, extended with a random value passed by URL parameter.

The HTTP URL used by the Wallet Instance to retrieve the signed request object from the Relying Party. The URL is intentionally extended with a random value that uniquely identifies the transaction.
-
-

Note

-

The error correction level chosen for the QR Code MUST be Q (Quartily - up to 25%), since it offers a good balance between error correction capability and data density/space. This level of quality and error correction allow the QR Code to remain readable even if it is damaged or partially obscured.

+

Below a non-normative example of the response containing the required parameters previously described.

+
eudiw://authorize?client_id=`$client_id`&request_uri=`$request_uri`
+
-

Below is a non-normative example of a QR Code issued by the Relying Party:

-_images/verifier_qr_code.svg

Below is a non-normative example of the QR Code raw payload:

+

The value corresponding to the request_uri endpoint MUST be randomized, according to RFC 9101, The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) Section 5.2.1.

+

In the Same Device Flow the Relying Party uses a HTTP response redirect (status code 302) as represented in the following non-normative example:

+
HTTP/1.1 /pre-authz-endpoint Found
+Location: https://wallet-providers.eudi.wallet.gov.it?
+client_id=https%3A%2F%2Frelying-party.example.org%2Fcb
+&request_uri=https%3A%2F%2Frelying-party.example.org%2Frequest_uri%3Fid%3Drandom-value
+
+
+

In the Cross Device Flow, a QR Code is shown by the Relying Party to the User in order to issue the Authorization Request. The User frames the QR Code using their Wallet Instance. The QR Code payload MUST be a Base64 encoded string.

+

Below is represented a non-normative example of a QR Code issued by the Relying Party.

+_images/verifier_qr_code.svg

Below is represented a non-normative example of the QR Code raw payload:

ZXVkaXc6Ly9hdXRob3JpemU/Y2xpZW50X2lkPWh0dHBzOi8vdmVyaWZpZXIuZXhhbXBsZS5vcmcmcmVxdWVzdF91cmk9aHR0cHM6Ly92ZXJpZmllci5leGFtcGxlLm9yZy9yZXF1ZXN0X3VyaS8=
-

Below follows its Base64 decoded content:

-
eudiw://authorize?client_id=https://verifier.example.org&request_uri=https%3A%2F%2Fverifier.example.org%2Frequest_uri%3Fid%3Drandom-value
+
The decoded content of the previous Base64 value is represented below:

+
eudiw://authorize?client_id=https://relying-party.example.org&request_uri=https%3A%2F%2Frelying-party.example.org%2Frequest_uri%3Fid%3Drandom-value
 

 

+

+
Note

+
The error correction level chosen for the QR Code MUST be Q (Quartily - up to 25%), since it offers a good balance between error correction capability and data density/space. This level of quality and error correction allow the QR Code to remain readable even if it is damaged or partially obscured.

+

Cross Device Flow Status Checks and Security¶

-

When the flow is Cross Device, the user-agent needs to check the session status to the endpoint specialized for this scope and made available by Relying Party. This check MAY be implemented in the form of JavaScript code, within the page that shows the QRCode, then the user-agent checks the status with a polling strategy in seconds or a push strategy (eg: web socket).

-

Since the QRcode page and the specialized endpoint are implemented by the Relying Party, it is under its responsability the implementation details of this solution, since it is related to the Relying Party's internal API.

+

When the flow is Cross Device, the user-agent needs to check the session status to the endpoint made available by Relying Party (status endpoint). This check MAY be implemented in the form of JavaScript code, within the page that shows the QRCode, then the user-agent checks the status with a polling strategy in seconds or a push strategy (eg: web socket).

+

Since the QRcode page and the status endpoint are implemented by the Relying Party, it is under its responsability the implementation details of this solution, since it is related to the Relying Party's internal API.

The Relyng Party MUST bind the request of the user-agent, with a Secured and Httponly session cookie, with the issued request (using the random-value parameter within the request_uri value). The HTTP response returned by this specialized endpoint MAY contain the HTTP status codes listed below:

    -

  • 201 Created. The signed request object was issued by the Relying Party that waits to be downloaded by the Wallet Instance at the request_uri endpoint.

    • +

  • 204 No Content. The signed request object was issued by the Relying Party that waits to be downloaded by the Wallet Instance at the request_uri endpoint.

  • 202 Accepted. This response is given when the signed request object was obtained by the Wallet Instance.

  • 302 Found. The Wallet Instance has sent the presentation to the Relying Party's redirect_uri endpoint and the User authentication is successful. The Relying Party updates the session cookie allowing the user-agent to access to the protected resource. The Location within the HTTP Response allows the user-agent to leave the QRCode page.

  • 403 Forbidden. The Wallet Instance or its User have rejected the request, or the request is expired. The QRCode page SHOULD be updated with an error message.

The request to the endpoint MUST carry within its HTTP headers the session cookie, to be then updated on occurrence following the status of the authentication if this is successful.

Below a non-normative example of the HTTP Request to this specialized endpoint:

-
GET /session-state?state=3be39b69-6ac1-41aa-921b-3e6c07ddcb03
+
GET /session-state?id=3be39b69-6ac1-41aa-921b-3e6c07ddcb03
 HTTP/1.1
-HOST: verifier.example.org
+HOST: relying-party.example.org
@@ -1198,7 +1171,7 @@

Request Object Details

Below a non-normative example of HTTP request made by the Wallet Instance to the Relying Party to provide the Wallet Instance Attestion and retrieve the signed request object:

GET /request_uri HTTP/1.1
-HOST: verifier.example.org
+HOST: relying-party.example.org
 Authorization: DPoP $WalletInstanceAttestation
 DPoP: $WalletInstanceAttestationProofOfPossession
@@ -1293,7 +1266,7 @@

DPoP HTTP HeaderRequest URI response

Unique identifier of the Authorization Request.

iss

-

The entity that issued the JWT. It will be populated with the Verifier URI

+

The entity that issued the JWT. It will be populated with the Relying Party URI

iat

The NumericDate representing the time at which the JWT was issued

@@ -1441,8 +1414,8 @@

Request URI response

  • presentation_definition: JSON object according to Presentation Exchange. This parameter MUST not be present when presentation_definition_uri or scope are present.

  • presentation_definition_uri: string containing an HTTPS URL pointing to a resource where a Presentation Definition JSON object can be retrieved. This parameter MUST be present when presentation_definition parameter or a scope value representing a Presentation Definition is not present.

    • -

  • client_metadata: A JSON object containing the Verifier metadata values. The client_metadata parameter MUST NOT be present when client_id_scheme is entity_id. The client_metadata is taken from trust_chain.

    • -

  • client_metadata_uri: string containing an HTTPS URL pointing to a resource where a JSON object with the Verifier metadata can be retrieved. The client_metadata_uri parameter MUST NOT be present when client_id_scheme is entity_id.

    • +

  • client_metadata: A JSON object containing the Relying Party metadata values. The client_metadata parameter MUST NOT be present when client_id_scheme is entity_id. The client_metadata is taken from trust_chain.

    • +

  • client_metadata_uri: string containing an HTTPS URL pointing to a resource where a JSON object with the Relying Party metadata can be retrieved. The client_metadata_uri parameter MUST NOT be present when client_id_scheme is entity_id.

  • redirect_uri: the redirect URI to which the Wallet Instance MUST redirect the Authorization Response. This parameter MUST not be present when response_uri is present.

    • @@ -1453,11 +1426,11 @@

    Authorization Response Details

    Note

    Why the response is encrypted?

    -

    The response sent from the Wallet Instance to the Relying Party is encrypted to prevent a malicious agent from gaining access to the plaintext information transmitted within the verifier's network. This is only possible if the network environment of the verifier employs TLS termination. Such technique employs a termination proxy that acts as an intermediary between the client and the webserver and handles all TLS-related operations. In this manner, the proxy deciphers the transmission's content and either forwards it in plaintext or by negotiates an internal TLS session with the actual webserver's intended target. In the first scenario, any malicious actor within the network segment could intercept the transmitted data and obtain sensitive information, such as an unencrypted response, by sniffing the transmitted data.

    +

    The response sent from the Wallet Instance to the Relying Party is encrypted to prevent a malicious agent from gaining access to the plaintext information transmitted within the Relying Party's network. This is only possible if the network environment of the Relying Party employs TLS termination. Such technique employs a termination proxy that acts as an intermediary between the client and the webserver and handles all TLS-related operations. In this manner, the proxy deciphers the transmission's content and either forwards it in plaintext or by negotiates an internal TLS session with the actual webserver's intended target. In the first scenario, any malicious actor within the network segment could intercept the transmitted data and obtain sensitive information, such as an unencrypted response, by sniffing the transmitted data.

    Below a non-normative example of the request:

    POST /callback HTTP/1.1
-HOST: verifier.example.org
+HOST: relying-party.example.org
 Content-Type: application/x-www-form-urlencoded
 
 response=eyJhbGciOiJFUzI1NiIs...9t2LQ
@@ -1500,7 +1473,7 @@ 
    Authorization Response Details
    state
    
-
    Unique identifier provided by the Verifier within the Authorization Request.
    
+
    Unique identifier provided by the Relying Party within the Authorization Request.
    
 
 
 
@@ -1514,7 +1487,7 @@ 
    Authorization Response Detailsredirect_uri within the Authorization request issued by the Relying Party.
    
 
 
    nonce
    
-
    Nonce provided by the Verifier within the Authorization Request.
    
+
    Nonce provided by the Relying Party within the Authorization Request.
    
 
 
 
 
 
    
 
    Relying Party Entity Configuration¶
    
-
    According to the Trust Model section, the Verifier is a Federation Entity and MUST expose a .well-known endpoint containing its Entity Configuration.
    
+
    According to the Trust Model section, the Relying Party is a Federation Entity and MUST expose a .well-known endpoint containing its Entity Configuration.
    
 
    Below a non-normative example of the request made by the Wallet Instance to the openid-federation .well-known endpoint to obtain the Relying Party Entity Configuration:
    
 
    GET /.well-known/openid-federation HTTP/1.1
-HOST: verifier.example.org
+HOST: relying-party.example.org
 
    
 
    
 
    Below is a non-normative response example:
    
@@ -1604,14 +1577,14 @@ 
    Relying Party Entity Configuration6yN1NqHe3NgolH5G9;9-4p_@J+A_dO$HQmD4Mty+e%pGtwRMwW3y~Nb
zD|DPH$`Gf48I6R^ZwM-mp%am8&If|q*aHwjNl=JUFh)G*yRJ#Cf0_7C&-wj&@9%u)
zckcbZyT5(p{`Qg06Vg*}v03e9zDiBC)8mz^osrN@l`e^8YN61v&p
zEOoh^4vp7YUEzs@5}@%XH6J1UN^^f-ME+5IG4lkD-hG%hSBJA8Jb
zAG&2&+T+l$8gC>t+FR}Ocq3t-ZC&P5k?D93Prm!wh(O=6fGNb5A;mW9ZPL(jZBBC88g6^ISbNe
zq$P$$d+{u_8P8I?@hr6+&r?olYyI$@mF0YA@mz!w-pbM0_o
z-tE!=bj{1gyQQ2H(jaWiOM`1U#qdpz8ftVU@Q_Xo*L8Ie$Ww2#O@J1?5k}>!;kNl}
zpe|PpGi%jwaQ??wf^OWETMW-GP{ZUr8+i3y{_d>
zIEeWbyk_Ep3h*P>_~}&WTyVd5(%I&b2?^pcV6RX{qi1hXM&o7&D5DXx4$5e(>`TgM
zlx%=98Xvnv8I6oxqm0JHMvuZD8VyrXM&n?ql+g&-%u#CmCEuBzNb;I3!ORyL<(2K8
z2)>i7j~_PNEy41-6iD84D<5Z?L_h_`wrRY0p@D#wcNOF-Z1;w{`258y6|lme#k-a)
zm*De&i5Huf{C&yZ4BmHNp#eshi5zKZxrgVC+og7aqd(5NPkx
z^7W74dI$^#X7j{HaZL#L+Erc&&K1fy{9N!Cnc=79O1nQ6O^^_%;EvTp(g6Q$^^TD+
zZMVG5W`i5M)A=(tbi>f379%$c=-gSe*d5VOfXO2@C}?d9Mqr
zi_6fFRb}YN!hK5Dw^fuvQgb@rRe|zJ%_*Y6t8OeofEu({VhIA&;1^X`f&evW_h1PE
z)ZkSwmLRZp)pTC<1eW;ac^Mz$GVs?c4SrCICH(cuJd@UA34gtoZ>&RkWO?@nx00;z
z2PF9O1rtx&h>~&+noZpBA_~(DB;2+g*P8XIj4xLjG`wtv_T!4|*c~X_eq50)YCzfc
z<67Ri6J?1d$Mw6=4g%zO=c{OkvD?IpUPF0t3Cj1rj`Hhtm0_7VKhHn~obemYUV3;^EfSN^)aA8beIr02)I{@_Rm!D8{^x@_Wi<
z+(|UhbjS>iRf;jH4^gtQO2v(B_*P&dR)6X+uD-EqHeYmvR_-a_r#`|})8Dk}(hgiT
z0rLF(Cn$ZrS;o!D1^!k=R&xwx{jG{In?A$U`dhX9>T#4MmP{$>L}>zK%GEBE|MQ@U
zZ|X*Aamn6{cfPbqb~^nmW5qsak;EovNfbMrWrWz?@ITtyFwn+^fp#?vw54I7{R{(b
zW*BHELlxS_5YZNfVF*6?Y9a3Mr?quP^G?Snx6BJc~qDWBG2#OLxQ6VS_1ciQ3$OnabP>2VG
zc2GzM*$|(3s#C%v_WHLbJYsWu@}zT6+mkPyhj)8&q|YT$PaUOoYi8lykFE
zAv{EgF%uC1MDU^v@A515SZHZ87{m1AcVClrL5+JQGce)lgC8
utQTJpqDx_#=tj6DtQdfk16hkF;l~7ifGNHIXQjeH?U=8q{cm9NV9Q@zBdPBI

delta 3199
zcmcImYfzMB6y^&RAyYvcXTIh`5qveR46(dL5atD45D@RxOqoAQs?pAQKi!#a`_)W8*mItTcc1gV&-wPe
z-@&H9gH3_;BO{Hnc7V|5())k_+m~F)-U5U-;
zcJ()z4aQQpYpB&~Qksyr7)tc=mj>&!`qd?c%3`C{W+}$C15H+IiPo&gbnv6?SPe>M
z$C}}GsLToH{U-(nI&MA|5U^0~iG98Mrkil+v(K+?|?6MbK(50~}Uetc(
z4fcZ4&z~h1|G~o18Kb3}Tpc}Cg2-70I38<&
zJF^T@C#a+Kuw$kHV)0KEZGilk)37v751VHhVO6Xi4#hnwU5D1VnbJ*=;?Kj<1O?oS
z&xUr4_JmyMm!g2agfeg>E2?xOp&?NP_mCPsI|s$rB~O5;QUx5I{WTQNR=}>LY`74w
zfYHf1uq7&B+wKW)JXr<5VqU**1k6cM!KOJ1c&T9o9LBsHmBQx~z#mBpc=yzJXqoej
zc+lB~z<>bp6tK4`qt3IBDWh()LzGd6*>TFKtL%HqsFSRlGU^`ti8AUKyGI#yiS_S?
zAJiEZMj3U3jirn_z@qvo@RMw3iA0jsYyoB^u6{O)-s*nU9m#I;qp1@mD6b5Kp?ik$
zf$C8N!a&tHiD%DEB@n|~(^6!%ZS5F7d;Ss`EH01ctqU?GxW7%!v(pzmT(WmE?|eE#
zf@>LZaL1T{4HyLtnsoRjQNZx0d2w2sE|E@HNYDF9doVGkEZF+z$f2YK2XL
zx%=W^=xd4C{3IyPN{1o!5&XxjkrF1M@Z`!~={o;?WpyA-+HI-Q>EOZc2)$y8tXPe1gdDNJ@Pa(}
z`A7ucRe;jd8WZ?kGfGcul%@5BC{2K*&lI6F0g~2RQJMfr-?gE%SccL?FK0;j=r-Ct
zP?IKi@QYFuuSt_TIAjeLs7Z_A>&j3ZS>CqREGLW09TJ46tND<1C`eyuL%}WU^9I3}
zb_+iJqrkBx9Wu*g*`KzcY-X7(n_7XgnPoA&z7l1TWxsQ%dFopzOJ5+_
z#_edqWKA5Xc76bTng||LjdFdOP|@G48k8eI{cWj5Ndna0#9e3u0qSqdJ7@y|>TlM2
zC{JM3ib&q^KFU{WE%+N{Fm81yAG&9{go(UcdmYLXpa$Ol5akJw%g=v=@&w4`+aIGm
z0dm>?3CfRKoydRNi_&}YJ`8aR0EH=N(6Bu>`%paRQ}7c3N;KnV`B>mQ|ic
z+3H$(x9h*b-B#De@Vm_@O)Qy{+k(;rNcwIoN{@U`&DXb~v{1US!!zj&E8W5z3}g-lG6w^hgMrM!K;~c|b1;xO7|0w9WDbU2*xa7+JT<{7
zdf*f-a0+XjqJ~qHaEb~}QNStmokHFz)SW`yDYTtJ+R1u()WsIsbKfPkbPbX`$x=6z
zdQzlY@Tn(W>Vls=^Kkae?08eU3dcH9r5=zvHPQ`O)HzSO3{{=eq$_Z&Q#F8g>KY3b
zIpHwjvP$X&{pEGbXvZu+EFfT`n^`c(7i6JKScwq#q)jI5M2JhWR3^%Z5O?KTnQ#!%
z35i|fUlf<*CYjz$w74r>GO?8iab;G>1P~!^PPa^KCqi7HJ7l7U2yuO
z*#D=a%e&Pn;`SE@6nhh9h;xXYi8lvvPI`HkZ+3AgVe2hu?~a~72455K%}Rcc_|Hli
QJuw3=(0R|ohMtDM0d?V*BLDyZ