Skip to content

Commit

Permalink
feat: implementation and security consideration for securing sessions…
Browse files Browse the repository at this point in the history
… in the cross device flow
  • Loading branch information
peppelinux committed Aug 2, 2023
1 parent a8af165 commit f6e75a9
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions docs/en/relying-party-solution.rst
Original file line number Diff line number Diff line change
Expand Up @@ -140,13 +140,27 @@ Below is a non-normative example of the QR Code raw payload:

.. code-block:: text
ZXVkaXc6Ly9hdXRob3JpemU/Y2xpZW50X2lkPWh0dHBzOi8vdmVyaWZpZXIuZXhhbXBsZS5vcmcmcmVxdWVzdF91cmk9aHR0cHM6Ly92ZXJpZmllci5leGFtcGxlLm9yZy9yZXF1ZXN0X3VyaS8kdW5pcXVlLXNlc3Npb24taWRlbnRpZmllcg==
ZXVkaXc6Ly9hdXRob3JpemU/Y2xpZW50X2lkPWh0dHBzOi8vdmVyaWZpZXIuZXhhbXBsZS5vcmcmcmVxdWVzdF91cmk9aHR0cHM6Ly92ZXJpZmllci5leGFtcGxlLm9yZy9yZXF1ZXN0X3VyaS8=
Below follows its Base64 decoded content:

.. code-block:: text
eudiw://authorize?client_id=https://verifier.example.org&request_uri=https://verifier.example.org/request_uri/$unique-session-identifier
eudiw://authorize?client_id=https://verifier.example.org&request_uri=https://verifier.example.org/request_uri
Cross Device Security Considerations
------------------------------------

When the flow is Cross Device, the user-agent needs to check the session status to an endpoint made available by Relying Party and specialized for this scope. This check MAY be implemented in the page that shows the QRCode, then the user-agent checks the status with a polling strategy in seconds or with a push strategy (eg: web socket).

Since the QRcode page and the specialized endpoint are implemented by the Relying Party, it is under its responsability the implementation details of this solution, since it is related to the Relying Party's internal API.

The Relyng Party MUST bind the request of the user-agent, with a Secured and Httponly session cookie, with the issued request (using the ``state`` parameter). The status returned by this specialized endpoint MAY return the HTTP status codes listed below:

* **201 Created**. The signed request object was issued by the Relying Party that waits to be downloaded by the Wallet Instance at the **request_uri** endpoint.
* **202 Accepted**. This response is given when the signed request object was obtained by the Wallet Instance.
* **302 Found**. The Wallet Instance has sent the presentation to the Relying Party's **redirect_uri** endpoint and the User authentication is successful. The Relying Party updates the session cookie allowing the user-agent to access to the protected resource. The ``Location`` within the HTTP Response allows the user-agent to leave the QRCode page.
* **403 Forbidden**. The Wallet Instance or its User have rejected the request, or the request is expired. The QRCode page SHOULD be updated with an error message.


Request Object Details
Expand Down

0 comments on commit f6e75a9

Please sign in to comment.